Translate

5/09/2014

SPAM: Jennifer Woodard (woodardjennifer27@yahoo.com)
DOMAIN: darwinistneleridusunmez.com
IP: 180.180.146.4 Bankok, THAILAND




DOMAIN:
http://darwinistneleridusunmez.com/
  • https://www.virustotal.com/de/url/51ee5532251a6a564ea561ab27211e864beec50df216a0827b1bb1052c369a5a/analysis/1399629448/
http://darwinistneleridusunmez.com/lsy/view.php
  • https://www.virustotal.com/de/url/9d8251b452e80791bae691d8eebe0681a092719cf553c5e80c6b1784793c0928/analysis/1399629579/
DOMAIN IP:
http://54.247.100.110/
  • https://www.virustotal.com/de/url/e1792fc59ff57735b91d13358c35cf0028ecf8516e36fbe23060b1eb8db96e10/analysis/1399631113/
  • https://www.virustotal.com/de/ip-address/54.247.100.110/information/
IP LISTED AT SPAMHAUS (CBL)
  • http://www.spamhaus.org/query/bl?ip=54.247.100.110
  • http://cbl.abuseat.org/lookup.cgi?ip=54.247.100.110
  • http://www.senderbase.org/lookup/?search_string=54.247.100.110

MAIL IPs:
1)
http://180.180.146.4/ (THAILAND)
  • https://www.virustotal.com/de/url/dff9af04709b5bc1aec3f2705bafe872a9a57b8a23d9b29f75c117c0a5aba04a/analysis/1399629695/
SPAMMAILSERVER & DICTIONARY ATTACKER:
  • https://www.projecthoneypot.org/ip_180.180.146.4
LISTED AT SPAMHAUS (PBL):
  • http://www.spamhaus.org/query/bl?ip=180.180.146.4
E-MAIL-REP: POOR
  • http://www.senderbase.org/lookup/?search_string=180.180.146.4
2)
http://66.147.244.82/ (UNITED STATES)
  • https://www.virustotal.com/de/url/d60b98e987232df8a76c2aadaa8982b3d03a2b4a1a2cc91d829c296f513b13f1/analysis/1399630027/
  • https://www.virustotal.com/de/ip-address/66.147.244.82/information/
BHA: 19
  • https://www.projecthoneypot.org/ip_66.147.244.82
3)
http://14.4.4.6/ (SOUTH KOREA)
  • https://www.virustotal.com/de/url/ea36277fb5e01f8d0713c1937c952433fa0d3e3d11956f161dd989b3a6a07219/analysis/1399630197/
LISTED AT SPAMHAUS (SBL & DROP)
  • http://www.spamhaus.org/query/bl?ip=14.4.4.6
  • http://www.spamhaus.org/sbl/query/SBL187947
  • http://www.senderbase.org/lookup/?search_string=14.4.4.6
4)
http://69.89.23.228/
  • https://www.virustotal.com/de/url/f15acfaf6680089b7af8ce6db92c64f2420b0f92e1bcb14af18e2420b2d5de79/analysis/1399631488/

5/08/2014

ANGLER EXPLOIT KIT (& HEUR:Trojan.Script.Generic)
Newly Detected Malicious DOMAINS from FRANCE:
black-salope.photos-films-x.com
www.photosx-videosx.com
belles-noires.photosx-videosx.com

IPs: 23.239.17.30 & 194.150.236.81



FRENCH MALWARE DOMAIN(s): 
LINKS TO INFECTED DOMAINS (HEUR:Trojan.Script.Generic / ANGLER EXPLOIT KIT)

SITE:
http://black-salope.photos-films-x.com/
  • https://www.virustotal.com/de/url/afd7b2909fd81c0403dcd2d7751966ce255d6011b4217b857f102f0bd02b1d7d/analysis/1399550506/
SPECIFIC MALICIOUS URL:
http://black-salope.photos-films-x.com/black-salopes.html
  • https://www.virustotal.com/de/url/dd6f70d37f067050a8e9e7c9a902ed98e18697b125206252d2f9ab8ee4e44e80/analysis/1399550918/
  • http://quttera.com/detailed_report/www.photosx-videosx.com
INFECTED LINKS FOUND HERE:

1)
http://www.photosx-videosx.com/
  • https://www.virustotal.com/de/url/304eacef10ded96e02de6a8c7377facaf6fe00fa0f7abfb4916e509406caa0b0/analysis/1399551145/
HEUR:Trojan.Script.Generic
  • https://www.virustotal.com/de/file/8eb3907b32e45e38453b56a05aed6b0132f31e7db511e14da383c2e0821b55ea/analysis/1399551334/
  • Malicious iframe injection
  • Angler exploit kit URL pattern
  • https://urlquery.net/report.php?id=1399551228285
--->
http://promo.vador.com/js/tc_loader.js
  • https://www.virustotal.com/de/url/8cc9be1632fafa63070ba909501c2c1253363913f508c68ca851e53d3e997082/analysis/1399553305/
  • https://www.virustotal.com/de/file/017051c711d3cd4e1dfdfba7976237e86bcbf1841b8c4e96627c929403ea9a20/analysis/1397006857/
---->

DOMAIN:
http://consciousnesszone.com/
  • https://www.virustotal.com/de/url/ac7d259785dcda43ec1ec46b60d5be4f6850e7f516a35007fff1a3c34df8daee/analysis/1399553019/
  • http://sitecheck.sucuri.net/results/consciousnesszone.com
MALICIOUS URL (DOCWRITE)
http://consciousnesszone.com/wp-content/plugins/InstaBuilder/zE1ZWXxV.php?id=1707269
  • https://www.virustotal.com/de/url/e389ae2a547adde57bd8665fd45aa84307e994f550e08c11e2b3b125cdef3ee4/analysis/1399552408/
DOMAIN:
http://socialmediahelpforbusinesses.com/

  • https://www.virustotal.com/de/url/bb5f27c3c682dcde39769b673429d69f6ba7bb293824ffa555807aaafa16ee25/analysis/1399552046/
EXPLOIT URL (in this case (random)):
http://socialmediahelpforbusinesses.com/o5a8oheam8
  • https://www.virustotal.com/de/url/98ba770ce401bfc84286efaed8dd08e614c1c8f74198fb2f429bb91ebf6fed55/analysis/1399552020/
EXPLOIT ANGLER
  • https://www.virustotal.com/de/file/59831c7074ce6fb3cad1c442da9d8f943340909375e156ce988d3b6a5cbf86ee/analysis/1399551862/
---------------------------------------------------

2) SAME FOR
http://belles-noires.photosx-videosx.com/
  • https://www.virustotal.com/de/url/356c31acbf7f736f50a26783583632d2754b8a0094339ed70d4c1703d941f164/analysis/1399553987/
HEUR:Trojan.Script.Generic
  • https://www.virustotal.com/de/file/37ccdabc9e5d4dc17f00af44f311417577ab1dfe884634e663ae15184e37de0e/analysis/1399554228/
  • http://urlquery.net/report.php?id=1399554055463
---------------------------------------------------
IPs:

1)
http://194.150.236.81/
  • https://www.virustotal.com/de/url/090783f03563157938a2c276a895517863727923085fe8723335e188fbe0efd3/analysis/1399554601/
  • https://www.virustotal.com/de/ip-address/194.150.236.81/information/
2)
http://23.239.17.30/
  • https://www.virustotal.com/de/url/698f78c8e171958c4fe2e9090202804a5ec63d5b1a03bb31abae5094a7bef84c/analysis/1399554712/

U.S. NAVY MILITARY HACK 2012:

Nicholas Paul Knight & Daniel Trenton Krueger

charged with Hacking US Navy Computer Systems & Sites


Daniel Trenton Krueger, 20, of Salem, Illinois and Nicholas Paul Knight, 27, of Chantilly, Virginia, were accused of conspiring "to hack computers and computer systems as part of a plan to steal identities, obstruct justice, and damage a protected computer" from April 2012 to June 2013, court documents and prosecutors said.

USS Harry S. Truman

Knight, a former systems administrator in the nuclear reactor department of the USS Harry S. Truman, was the self-proclaimed leader and publicist of "Team Digi7al," prosecutors said. He used the names Inertia, Iner7ia, Logic and Solo and has been a hacker since the age of 16, charging documents say. He was discharged from the Navy after he was caught trying to hack a Navy database while at sea.

In an interview with a reporter for the website Softpedia, parts of which are quoted in charging documents, "Iner7ia" said that he was originally a White hat hacker, who found and reported security vulnerabilities. But he became bored and said "the people I did work for were ungrateful and sometimes they wouldn't take me seriously."

He admitted being a member of the United States Navy, and said that he worked for the people of the U.S. hacking primarily government sites, not the government. "I believe that if we can't protect ourselves against a cyber attack, then how can we trust the government to protect against anything else?"


He said that he uses a separate computer to avoid being caught, and at one point said, "I just hope that I can retire knowing I was never caught and arrested. Haha"

Krueger, who was studying network administration at an undisclosed college, did the hacking "out of boredom," prosecutors said. He went by the names Thor, Orunu, Gambit and Chronus.

Charging documents say that in June of 2012, the Naval Criminal Investigative Service (NCIS) detected a breach of a Naval database located in Oklahoma that contains the Social Security numbers, names, and birth dates of roughly approximately 220.000 members of the military.


"The Navy quickly identified the breach and tracked down the alleged culprits through their online activity, revealing an extensive computer hacking scheme committed across the country and even abroad," said U.S. Attorney Danny C. Williams of the Northern District of Oklahoma.

U.S. Attorney Danny C. Williams
The NCIS and Defense Criminal Investigative Service identified Knight and Krueger as the hackers of the Navy database as well as systems belonging to the U.S. National Geospatial-Intelligence Agency, the Department of Homeland Security, AT&T U-verse, Universities, Police Departments in Toronto and Alabama and the entire email account of the Peruvian ambassador to Bolivia.

They posted links to the data via Team Digi7al's Twitter account, and one co-conspirator said they released the data because they were "somewhat politically inclined to" but also because it was "fun, and we can," prosecutors said.

The U-verse hack compromised the personal information of 3.500 customers. The June 2012 Navy hack left 700 overseas military members unable to access the system and get "logistical support" for their transfers for more than 10 weeks and cost the Navy more than 500.000 US-Dollars documents say.

The U.S. National Geospatial-Intelligence Agency

After the NCIS searched Knight's Virginia home in February of 2013, he admitted "many" of his Team Digi7al activities and agreed to cooperate, but told a juvenile co-conspirator to delete data, documents say.

That juvenile and two others who hacked for Team Digi7al were not charged.

Illinois ONLINE CHILD PREDATORS 2009/2012:
Eight Self-Identified ‘Boy Lovers’ Sentenced
to Federal Prison for Sexual Exploitation Crimes

Three years after several self-identified “boylovers,” who met in person and online to discuss their sexual interest in children and trade child pornography, were arrested in an FBI sting during or soon after a purported party at a hotel in suburban Skokie, a total of eight defendants have been convicted and sentenced to federal prison terms as a result of the investigation. The sentences ranged from nine years for a suburban Crest Hill man sentenced last week in Chicago to 120 years for a Missouri man sentenced last year in St. Louis.


Six of the eight defendants pleaded guilty and three of them cooperated against others, while the Crest Hill man and a Missouri defendant were convicted after separate trials. All were prosecuted as part of an investigation by the Chicago FBI’s Innocent Images Task Force, which culminated with the undercover sting in September 2009.

“The sentences in these cases reflect the stark reality that defendants who prey upon children by sexually exploiting or abusing them will be punished severely,” said Gary S. Shapiro, Acting United States Attorney for the Northern District of Illinois. He announced the sentences together with William C. Monroe, Acting Special Agent in Charge of the Chicago Office of the Federal Bureau of Investigation.

Mark McGill, 27, of Crest Hill, was sentenced to nine years in prison, followed by 20 years’ supervised release, by U.S. District Judge Joan Gottschall on October 9th, 2012. McGill was convicted of possessing and distributing child pornography after a trial in March 2012. Evidence at McGill’s trial showed that he had attended at least one party with other “boylovers.”

In August 2009, McGill gave a cooperating defendant a thumb drive containing approximately 3.500 images and nearly 60 videos containing child pornography.

Jose Garcia, 25, of Schererville, Indiana, was sentenced to 33 years in prison, followed by lifetime supervised release, by U.S. District Judge Amy St. Eve on July 23. Garcia, who cooperated, pleaded guilty to producing, possessing, and distributing child pornography.

Jacob Elliott, 32, of Matteson, was sentenced to 20 years in prison, followed by 10 years’ supervised release, by U.S. District Judge John Grady on July 18. Elliott, who cooperated, pleaded guilty to producing and possessing child pornography.

Corey Stinefast, 30, of Kenosha, Wisconsin, sentenced to 18 years in prison, followed by lifetime supervised release, by Judge St. Eve on June 13. Stinefast pleaded guilty to possessing and distributing child pornography, and he was found to have amassed a collection of more than 191.000 images of child pornography.

Neal Maschke, 42, of West Chicago, was sentenced to nine years in prison, followed by five years’ supervised release, by U.S. District Judge Samuel Der-Yeghiayan in October 2010. Maschke pleaded guilty to possessing child pornography.

McGill, Maschke, Garcia, Stinefast
Donald Peppers, 38, of Hoffman Estates, sentenced to 27 years in prison, followed by lifetime supervised release, by the late U.S. District Judge William Hibbler in December 2010. Peppers, who cooperated, pleaded guilty to producing, transporting, and possessing child pornography, including an admission that he had produced a video of himself sexually molesting a 1-year-old child. Peppers’ arrest and subsequent cooperation touched off the investigation that resulted in the other prosecutions.

Garcia and Maschke were arrested when they showed up for what they believed was going to be a “boylovers” party at the Skokie hotel in September 2009. McGill and Stinefast were arrested a short time later. Two other defendants, Michael Martin and Matthew Klopfenstine, were convicted in federal courts in St. Louis and Kansas City, respectively, based on evidence gathered during this investigation. Martin was sentenced last year to 120 years in prison for producing child pornography, and Klopfenstine was sentenced recently to 15 years and eight months for producing child pornography.

5/05/2014

Spyware ALIASES for:
PAK:PE Patch / PAK:ASProtect




PUA.Win32.Packer.Asprotect-2 (Clamav)
  • http://www.clamav.net/lang/en/
Win32.SuspectCrc (Ikarus)
  • http://www.ikarussecurity.com/
PAK:PE Patch (PAK:ASProtect) (Kaspersky)
  • http://www.securelist.com/en/descriptions/29810394/ASProtect
Packed.Win32.Black.d
"It is packed using PE Patch and ASprotect."
  • http://www.securelist.com/en/descriptions/6134039/Packed.Win32.Black.d
Trojan-Dropper.Win32.Delf.grq
"It is packed using ASprotect. The unpacked file is approximately 915 KB in size. It is written in Delphi."
  • http://www.securelist.com/en/descriptions/16268043/Trojan-Dropper.Win32.Delf.grq
PWS:Win32/Zbot.AFW (Microsoft)
"This password-stealing trojan can monitor your keystrokes and send the recorded information to a hacker. This can include your online activity such as visits to banking websites."
  • http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Zbot
Trojan.Win32.Generic!BT (Sunbelt)
  • http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32poisontrojanwin32genericbt
TSPY_ZBOT.TE (TrendMicro)
"This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It modifies the Internet Explorer Zone Settings. It deletes itself after execution."
  • http://about-threats.trendmicro.com/malware.aspx?language=au&name=TSPY_ZBOT.TE
Variant of Win32/Kryptik.AIJU trojan (NOD32)
  • https://www.virustotal.com/de/file/0a5bf022f878ee811a038a1fd9c8cedfd5d13e7bb028542e4bc7469fdc3272e1/analysis/

ANALYZING HASHES
MD5: 589eb00c8d071f8b81a782772dde514a
PUA.Win32.Packer.Asprotect-2 (Heur.Win32.Veebee.3!O)

FROM:

http://athan.islamicfinder.org/screensavers/Ramadan1.exe
  • https://www.virustotal.com/de/url/2ffeb9ca413dc2756602d3650c0d178698b0b19c573bfeeedbb46584842934f4/analysis/1399297572/
PUA.Win32.Packer.Asprotect-2
  • https://www.virustotal.com/de/file/7e6b28c0b34dd2bf037e80016e38636e64e5d9e0f7ad939c69c4895e32e74200/analysis/1399297418/
  • https://urlquery.net/report.php?id=1399297906951


MD5: 589eb00c8d071f8b81a782772dde514a INCLUDES:

1) ConfigureScr.exe
  • https://www.virustotal.com/de/file/dd4d2dd4690f895ee3e4a6dc319e8ed4e7282f21bc818dfed49068873fc01353/analysis/1399298315/
2) Ramadan1.SCR
Heur.Win32.Veebee.3!O
PUA.Win32.Packer.Asprotect-2
  • https://www.virustotal.com/de/file/cdc9ed6d336b530f70adce5e836eccd5da7ec06447594a3830ed10af20f18dcd/analysis/
3) RemoveScr.exe
  • https://www.virustotal.com/de/file/52a7f3cb893fdaf4aa2a7f20b585047b2b128b07a10d7f0606222d990d40cd49/analysis/1399298943/

Grizzly Adam:
Maybe .......................................!............?

Deep inside the forest
Is a door into another land
Here is our life and home
We are staying, here forever
In the beauty of this place all alone
We keep on hoping

Maybe
There's a world where we don't have to run
And maybe
There's a time we'll call our own
Livin' free in harmony and majesty
Take me ho-ome
Take me home


Walkin' through the land
Where every living thing is beautiful
Why does it have to end
We are calling, oh so sadly
On the whispers of the wind
As we send a dying message

Maybe
There's a world where we don't have to run
Maybe
There's a time we'll call our own
Livin' free in harmony and majesty
Take me home
Take me home

Maybe
There's a world where we don't have to run
Maybe
There's a time we'll call our own
Livin' free in harmony and majesty
Take me home
Take me home

(Maybe)
Maybe there's a world where we don't have to run
Maybe
There's a time we'll call our own
Livin' free in harmony and majesty
Take me home
Take me home (....fade)

5/04/2014

PHISHING SCAM !
Subject: The hottest sex positions in the world from:
wonder-save.de (IP: 46.137.116.197)



SPAM - SCAM - PHISHING DOMAIN
(MAIL THROUGH sexpositions@load-next.com)

http://www.wonder-save.de/
  • https://www.virustotal.com/de/url/4cbee3944f626152a7b0e565989dfcdfa97128d9e1661e8b2f881544bdcf38a7/analysis/1399057180/
HTML=LOOOOOOOLLL (Rattenscharfe Amateute am laufenden Band)
  • https://www.virustotal.com/de/file/d079714ab2586e4eb1d64bdea7ea0904160f2c848b0cb84b1c4040e82f79e501/analysis/1399057765/


BitDefender DOMAIN information: "This URL domain/host was seen to host badware at some point in time"


DOMAIN BLACKLISTED AT:
1) WOT
  • https://www.mywot.com/en/scorecard/wonder-save.de
2) SURBL
  • http://www.surbl.org/lists
3) JoeWein
  • http://www.joewein.net/
ADDITIONAL LINK:
http://www.wonder-save.de/o/e181067801c9b41237c8ca23126a2754c00befbb41d019e0470c71483874f92d
  • https://www.virustotal.com/de/url/2a9d116e843f5d5ca49d2b1e8fecb2be80998c6d79b9fccfeacd62a13a0f4ee3/analysis/1399063964/
HTMLSRC
  • https://www.virustotal.com/de/file/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/analysis/1398895856/
REDIRECTION TO --->
http://www.medusa.mx/open/e181067801c9b41237c8ca23126a2754c00befbb41d019e0470c71483874f92d
  • https://www.virustotal.com/de/url/d8053385191d602cccc3bde8afc22a3f99814f27d239f74787787b55b110a46f/analysis/
HTMLSRC
  • https://www.virustotal.com/de/file/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/analysis/1398895856/
DOMAIN:
http://www.medusa.mx/
  • https://www.virustotal.com/de/url/a451ede892082c712db5d49ed9152ed9bb0dd59aad190acb4be3d4d1320b8bfc/analysis/1399064361/
IP:
http://176.34.253.56/
  • https://www.virustotal.com/de/url/d4999bea2206837dff08b433a4c099eb794b7f1e3c5aafb7cad21895a2382f86/analysis/1399065373/
  • https://www.virustotal.com/de/ip-address/176.34.253.56/information/
REDIRECTS TO --->
http://newsletterabo.com/
  • https://www.virustotal.com/de/url/53fb33f8aea6cfadcd5fcaea7cf34509d2e95721acefa4058490a024d37eb9bd/analysis/1399064949/
IP:
http://62.129.143.124/
  • https://www.virustotal.com/de/url/753211dc1d21447d75875e36d3dd36c195078e99d32c3039c3dbee0232c96cd6/analysis/1399066574/
  • https://www.virustotal.com/de/ip-address/62.129.143.124/information/
LISTED AT SPAMHAUS (SBL):
  • http://www.spamhaus.org/query/bl?ip=62.129.143.124
Some 5000 SPAMVERTIZED DOMAINS ARE hosted HERE:
  • http://www.spamhaus.org/sbl/query/SBL112409
WEB-REP: POOR
EMAIL-REP: POOR
  • http://www.senderbase.org/lookup/?search_string=62.129.143.124
HTMLSRC
  • https://www.virustotal.com/de/file/ed3d4bf96a6e2c0c0f9ac7b27701b8dbab3fbfeb8078a3b4a847c1a797d8cd6d/analysis/1399064611/
SEE AS WELL:
  • http://sitecheck.sucuri.net/results/www.medusa.mx
  • http://sitecheck.sucuri.net/results/newsletterabo.com
-----------------------

MAIL SENT THROUGH:
http://load-next.com/
  • https://www.virustotal.com/de/url/7ac028fb0869d91755fb1a260da32b7189872856761e98b271bbf7c54283b670/analysis/1399061768/
  • https://www.virustotal.com/de/file/989e7a7c0680624b684c78468a1a1909c98a96dbce68c3a6d9a7d9122314aceb/analysis/1399061565/
  • https://www.virustotal.com/de/file/4ee70fe07827224c29f73047c71569c8fe740b370506cdd8b13e203a0ea5244d/analysis/1399061582/
IP:
http://95.130.125.232/ (AUSTRIA)
  • https://www.virustotal.com/de/url/e75688860b8f4224a5c62a7bfdb9c424a7a1e97e237eb40730d991c7d7e2ea42/analysis/1399063376/
  • https://www.virustotal.com/de/ip-address/95.130.125.232/information/
Fwd/Rev DNS Match: NO
  • http://www.senderbase.org/lookup/?search_string=95.130.125.232
-----------------------

IP:
http://46.137.116.197/
  • https://www.virustotal.com/de/url/1475cbe1f128f13cfbc44a6ef054af0e4edbfe87b1a881fcf912045eb62ab857/analysis/1399059664/
  • https://www.virustotal.com/de/ip-address/46.137.116.197/information/