Comment SPAMMER: 37.59.88.251 = Malicious IP from Roubaix, France

MALICIOUS IP: COMMENT SPAMMER (FRANCE)
FOUND ON A CnC BOTSERVER ROUNDUP LIST

IP seen with 30 user-agents
21 web post submissions sent from this IP

• https://www.projecthoneypot.org/ip_37.59.88.251

http://37.59.88.251/

• https://www.virustotal.com/de/url/8054a21ddb8f63f903b056ccad3527d3ebc27bdb9799de478cb0b5cdf3aad5b4/analysis/1397725938/

• https://www.virustotal.com/de/ip-address/37.59.88.251/information/

https://www.virustotal.com/de/file/f85e4b5b4089a91599c87da17d10eba5c1535fcc83fce58231b85cbf55bd376d/analysis/1397726108/

Category MALICIOUS IP: 5.135.188.193 (kimsufi.com) COMMENT SPAMMER from (Roubaix, FRANCE)

CATEGORY MALICIOUS IP: 
COMMENT SPAMMER
LISTED AT TORNEVALL

FOUND ON EXPLOIT KIT STATISTIC ROUNDUP:
Host - Pages - Hits - Bandwidth - Last visit date - [Start date of last visit] - [Last page of last visit] 5.135.188.193 - 16 - 16 - 5839847 20140115134221


HOST:

http://5.135.188.193/  (Roubaix, FRANCE)

• https://www.virustotal.com/de/url/ad6cf5b5cc0ac88abe48f641f12ebb0bad4d7bf1d40e15af5f0383471eede4de/analysis/1396905319/

HOSTNAME: (Registered February 15th 2001)

http://ks3294570.kimsufi.com/

• https://www.virustotal.com/de/url/9e0bfb2602bc25eb416989ffd0cb78bb0e35108f06b6dd5fe4acc5604718cf3e/analysis/1396907424/

WEPAWET: NON-EXISTING DOMAIN

• http://wepawet.iseclab.org/view.php?hash=fb0cdf5e77cfec395b4db8bf802df86d&t=1396905343&type=js

DOMAIN: (IP: CANADA)

http://kimsufi.com/

• https://www.virustotal.com/de/url/b2957ee6fe072c26c66415b45c22062fa9319dcd11a935ccc6808ddf8d88c4f1/analysis/

IP: 213.186.33.80  (FRANCE)

• https://www.virustotal.com/de/url/bf71c3ee663f088661ee99420e310491c614b03b26557c771d040669e9cfe8e8/analysis/

• https://www.virustotal.com/de/ip-address/213.186.33.80/information/

• http://toolbar.netcraft.com/site_report?url=213.186.33.80

REDIRECTS TO:

http://www.kimsufi.com/

• https://www.virustotal.com/de/url/70a198d280f8e42e13903be64df4dbebf292ed8f3ff5d58360ee0af9f1ea9ae3/analysis/1396908942/

IP (CHANGE): 198.27.92.3  (Montréal, CANADA)

• https://www.virustotal.com/de/url/9e2487ef003597430ea9b8bf016675f1fb4501d516ab468212099b57ad707c87/analysis/1396909634/

REDIRECTS TO:

http://www.kimsufi.com/fr/index.xml

• https://www.virustotal.com/de/url/69f5933404d7b76ef3e0d002add1516e622d015ddacf4cfeda5803f73673424d/analysis/1396909006/

REDIRECTS TO:

http://www.kimsufi.com/fr/

• https://www.virustotal.com/de/url/30f30cae7dc114a98734d84bf5eb806a0932e6767c17e05b5f767ef4a5e3cbb3/analysis/1396909110/

• https://www.virustotal.com/de/file/11114b722dd11cc71086f1d47fcb36ca7b2b5fce27413ecb8d3da00a70fc336d/analysis/1396909603/

• https://www.virustotal.com/de/url/9e2487ef003597430ea9b8bf016675f1fb4501d516ab468212099b57ad707c87/analysis/1396909634/

--------------------------------------------------------------------------------------------------------------------------------------------

LISTED AT TORNEVALL:

• http://dnsbl.tornevall.org/  (http://www.ipvoid.com/scan/5.135.188.193)

User-Agents: 30
Web post submissions: 52

• https://www.projecthoneypot.org/ip_5.135.188.193

Netcraft Risk Rating: 9/10

• http://toolbar.netcraft.com/site_report?url=5.135.188.193

ALSO:

• http://www.stopforumspam.com/ipcheck/5.135.188.193

pchelpsoft.com welcomes you with: MALICIOUS DOWNLOADS (Win32/SpeedingUpMyPC) PLUS HIDDEN IFRAMES (IP: 107.6.189.44) as well as a Bad Reputation USA & FRANCE

FOR WEBMASTERS & BLOGGERS

If you own a Website or a Blog and are affiliated with Google AdSense, in order to your own Reputation, should block the Domain www.pchelpsoft.com in your AdSense Dashboard. The Site lets your Visitors download and install persistant ADWARE or other Malware like in this case a variant of Win32/SpeedingUpMyPC. See the following Report:

MALICIOUS ADvertiser & HIDDEN IFRAMES

Screenshot with only SOME of the detected Hidden IfRames

DOMAIN:

http://www.pchelpsoft.com/

• https://www.virustotal.com/de/url/5c3edae4e373ca3e00b12d47e8cca063d95788ce51bf2231183583fb09c410fe/analysis/1396709017/

W32.HfsIframe

• https://www.virustotal.com/de/file/5423ccf2d362c574dd92ee16048771654c0c147615e30969708287e823e86d14/analysis/

AD-LINK:

http://googleads.g.doubleclick.net/aclk?sa=l&ai=C_5YSLfY_U477Oaf97QbKlYCICo_WvewF95Pew5MBwI23ARABII7AlCNQ59rJ-fr_____AWC7A6AByYS85gPIAQGpArbIwK_Uja4-qAMByAPDBKoEhAFP0DaVh04U04otA5RC7LkKN6Bb_76Gi-a6KPMQvyX3m8F19ghuSsCTgBc7cUAPAstOz7czutL_m7MOzFOIkKzeFLZ3UN9ZUEOlz4xXwJPPBb5gK8G6YxHi-4h_mZg4uzJ7soJ9bRaeuP_OZ2MIq7zyOqfZY3eePfaxuKdr22MRIEQwDEuAB5_7wxk&num=1&sig=AOD64_3jGSApnWn_Emx9WI29PpLZtrEk6Q&client=ca-pub-5585202032329389&adurl=http://www.pchelpsoft.com/pc-cleaner/lp1-ms/%3Ftracking%3DPH_EN_PP_GO_CO_ROW_PCC%26keyword%3D%26campaignID%3DADWORDS&nm=39&mb=2&bg=!A0Q9TCHak0v0HwIAAABKUgAAADcqAOG1EZitqUzYO4cdHgIIvh0nlm7oDd0knPeZUrYknpQ3F5-tZmBmXeKSHkPmRrr_CHVhEUhzRoOlThSLBgrs5fJLBrB5bES3Cg3gSdBl8Q6gTAGIzXrrfFYMCH9BIYOWLOuS7dqRqWoHQHEer0wQaFUVg8VOCK9FOIlzVHnwhGYzDu54619Pr81rBHDv7mscitGvxqSMzZirAzqRJipFcOzj4t9u__q1EYkusciy23n30yN3jgPeP_Ps4igDQY2IWVDYlesicGJKIgCoclKMhqQuga9DgkcUZAewYWXsVZknShE

VT ANALYSIS:

• https://www.virustotal.com/de/url/aaa0b4defa15863722a5a1f3a972cb1b5ae58782a51ee2ddf099479d13401a25/analysis/

W32.HfsIframe

• https://www.virustotal.com/de/file/97297c8b5512bf9630a4785d5efc8b1fa8c0ed256a259f41f2e420dd7ab75f3f/analysis/

URL After Redirect:

http://www.pchelpsoft.com/pc-cleaner/lp1-ms/?tracking=PH_EN_PP_GO_CO_ROW_PCC&keyword=&campaignID=ADWORDS&gclid=COLyicasyb0CFcU-Mgod9WIAFg

• https://www.virustotal.com/de/url/b812f343e219878f936a148c61d82ee7b868b62f126c33035034c30558cff252/analysis/

W32.HfsIframe

• https://www.virustotal.com/de/file/33e518a1049cacd6ad92fcb4dc8cc4276a7def88a673ec8f8b6730169c874399/analysis/1396709347/

OTHER (MALICIOUS) LINK OF THIS DOMAIN:

http://webtools.pchelpsoft.com/download.cfm?tracking=PH_EN_PP_GO_CO_ROW_PCC&keyword=&campaignID=ADWORDS&gclid=CJi1oOCsyb0CFcx9OgodfGkAVg&go=http://cdn2.pchelpsoft.com/pch_downloads/pc-cleaner-3248.exe

• https://www.virustotal.com/de/url/1ac047af6364f4d0b32c39cc39916c2f2c20126ac9084b34a8e37fc243575e3a/analysis/1396710143/

Win32/SpeedingUpMyPC

• https://www.virustotal.com/de/file/61825b61802647f122a2faf60ed2b06d4d139939c2305f421557ba7aadeaca8d/analysis/1396709870/

---> REDIRECTION TO: (7 AV-FLAGS)

http://cdn2.pchelpsoft.com/pch_downloads/pc-cleaner-3248.exe

• https://www.virustotal.com/de/url/695aac7dd7c803f95c1ff3fb22114a8c07710377c1f761360b4919703dde422d/analysis/

Win32/SpeedingUpMyPC

• https://www.virustotal.com/de/file/61825b61802647f122a2faf60ed2b06d4d139939c2305f421557ba7aadeaca8d/analysis/1396709870/

SEE AS WELL:
Scam
Misleading claims or unethical
Poor customer experience

• https://www.mywot.com/en/scorecard/pchelpsoft.com

LISTED AT HpHosts:

• http://hosts-file.net/?s=pchelpsoft.com

IPs:

http://107.6.189.44/  (Chicago, U.S.A.)

• https://www.virustotal.com/de/url/500ee0900e907eb3ec6ddfa941715422ba0d629117bd78a11abfc425e792f55a/analysis/1396710479/

• https://www.virustotal.com/de/ip-address/107.6.189.44/information/

http://217.195.25.241/  (Le Pecq, FRANCE)

• https://www.virustotal.com/de/url/2fcdb898c3033fa329006d6ad7a857426898b76c36d4031015e80c74b1bcdc0e/analysis/1396710659/

• https://www.virustotal.com/de/ip-address/217.195.25.241/information/

http://205.251.253.160/  (Seattle, U.S.A.)

• https://www.virustotal.com/de/url/69651f27754573792bde992f0a5bdbb08107d6477da0e85a9f383504ced67cad/analysis/1396710819/

• https://www.virustotal.com/de/ip-address/205.251.253.160/information/

BHA: 3

• https://www.projecthoneypot.org/ip_205.251.253.160

PHISHING SPAM from: www.ereatvipgame.la In Connection with ratgeberplatz.com AUSTRALIA: 14.2.24.1 IRAN: 217.219.253.210 "Beste deutsche Casinos in 2014" (sercoinfo.com: FRANCE)

Wir haben eine Liste der besten online casinos für Sie zusammengestellt und möchten Ihnen die Möglichkeit geben, ein exklusives Bonusangebot wahrzunehmen, wenn Sie sich in einem dieser Casinos anmelden.
Unzählige Angebote mit Freispielen und Einzahl-Bonussen stehen zur Auswahl.
Melden Sie sich über einen der Links auf unseren Webseiten in einem casino Ihrer Wahl an und sichern Sie sich einen exklusiven Bonus.
Besuchen Sie unsere Webseite hier. http://www.ereatvipgame.la/
Mit freundlichen Grüßen
Carl Barmasser
******************************

***********
Bitte klicken Sie hier, wenn Sie von uns keine E-Mails mehr erhalten wollen:
http://unsubscribe.ereatvipgame.la/

PHISHING MAIL SCREENSHOT

DOMAIN:

http://www.ereatvipgame.la/

• https://www.virustotal.com/de/url/7b3bf62ec24c544a9e4b7b53b67d056583bf372543626015ec36fcdcfc4c02ac/analysis/1396002960/

UNSUBSCRIBE LINK:

http://unsubscribe.ereatvipgame.la/

• https://www.virustotal.com/de/url/bb6c5411fdff163d11176dde943c5d8ea743983fe2ffbab867e6ee046dc6a5a5/analysis/1396003189/

ORIGINATING IPs:

14.2.24.1

• https://www.virustotal.com/de/url/6671096f3f434b58d889520e044498210faf3944dae80d8a5a084fd47ee0e3a6/analysis/1396003406/

• http://www.senderbase.org/senderbase_queries/detailip?search_string=14.02.24.01

217.219.253.210

• https://www.virustotal.com/de/url/af19ac8d166ab0e796dbcb19ce8e9aaded5ddbf78bca8ef42c42a19b0caff8cb/analysis/1396003561/

 SPAMHAUS PBL LISTED:

• http://www.spamhaus.org/query/bl?ip=217.219.253.210

• http://www.senderbase.org/lookup/?search_string=217.219.253.210

THROUGH MAILSERVER:

sercoinfo.com

• https://www.virustotal.com/de/url/0e5a930aab7957867dc351f4678e6d0b854a0a9292d5fdbcb43c14eb0fe33e29/analysis/1396004036/

The reason why ratgeberplatz.com is involved in this one (PHISHING) can be found (seen) at the following Blogpost: They both use the same SPAMSEVER-IP:

http://stayaway2.blogspot.com/2014/03/just-another-spam-from_29.html 

SPYWARE DOMAIN: terra.mastertop100.net TROJAN REDIRECTOR (Pagesinxt Malicious Redirect) USA-RUSSIA-CANADA-Virgin-IslandsNORWAY-NETHERLANDS-FRANCE-ITALY

MALICIOUS DOMAIN:
SPYWARE - TROJAN REDIRECTOR 

USA-RUSSIA-CANADA-Virgin-Islands-NORWAY-NETHERLANDS-FRANCE-ITALY

http://terra.mastertop100.net/

• https://www.virustotal.com/de/url/b99bc9716fa430c1e0417a758ddf03d3eaf1ca33f8619da37756c61e8469e559/analysis/1395328043/

Pagesinxt Malicious Redirect

• https://urlquery.net/report.php?id=1395328112708

FOR FULL REPORT .txt ICON:

DAILY PHISH, SPAM & SCAM: news.online-surftipps.com & gratisinfoservice.de (IP 2.1.8.110) "Revolutionäre Geschäftsidee: Steigen Sie ein, und verlieren Sie dabei ihr ganzes Vermögen" FRANCE & GERMANY

Sehr geehrte Damen und Herren,

Jetzt gibt es ein neues revolutionäres Geschäftsmodell, mit dem Sie in einen der größten Märkte weltweit einsteigen können.

Welcher das ist, erfahren Sie hier.

http://gratisinfoservice.de/ilead.php?prodid=_&agent=_

SCAM-Screenshot

http://gratisinfoservice.de/

• https://www.virustotal.com/de/url/e1b612f6268292103b7df2845a421146f141143c714ef342b3a66f20b20eea8b/analysis/1394563241/

http://gratisinfoservice.de/ilead.php

• https://www.virustotal.com/de/url/5a7fbc141a4903d49a1ef4f967d29681d710596b9497007d9319d6f4f6f29ddf/analysis/

Originating IP

2.1.8.110

• https://www.virustotal.com/de/url/f511e3823cedc584bdcd55ec4b788197390a851dcf630c4398caba3cbc929d36/analysis/1394563757/

LISTED AT SPAMHAUS (PBL):

• http://www.spamhaus.org/query/bl?ip=2.1.8.110

Email Reputation: Poor

• http://www.senderbase.org/lookup/?search_string=2.1.8.110

------------------------------------------------------------------------------------------------------------------------

http://news.online-surftipps.com/

• https://www.virustotal.com/de/url/9b289c2e28e2790291f4b6fad96c31623ea5894c4867379652d4adbda52f3b38/analysis/1394563975/

Newly Detected: HEUR:Trojan.Script.Generic @ doxyworld.pagesperso-orange.fr (IP: 193.252.122.54) FRANCE, GERMANY

NEWLY DETECTED MALWARE PAGE: HEUR:Trojan.Script.Generic

DOMAIN:

http://doxyworld.pagesperso-orange.fr/

• https://www.virustotal.com/de/url/be5e27bd2dab4929346a3864e019a06629eabd2ec299fc273e3adedd827bb8eb/analysis/

HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/1001774c185cdf8ae86cf818031e76284cb449ada029e67cd6b4e5768052e23d/analysis/1394454288/

TDS URL PATTERN

• https://urlquery.net/report.php?id=9843517

--->

http://asdpietroguarino.ilbello.com/post.php?id472092

• https://www.virustotal.com/de/url/1304d7f29d95a0bafaf13f6ecf4f9c082702bfe8109abe22a5a56b87ed058a91/analysis/1394454714/

SPAM, SCAM, PHISH DOMAIN: news.online-surftipps.com & allesunverbindlich.com & tradebutler.de (Nebenjob zu vergeben) FRANCE & GERMANY (IP: 2.1.8.110)

Sehr geehrte Damen und Herren,

ein internationaler Konzern sucht für die Expansion in Deutschland engagierte Online-Bürokräfte.
Sehr gute Einkommensmöglichkeiten (bis 25 € pro Stunde) erwarten Sie in einer Teil- oder Vollzeittätigkeit, die Sie von Zuhause ausführen.

Hier geht es zum Bewerbungsformular.


Mit freundlichen Grüßen
Ihr JobKarriere Team

Ihre Petra Vogt

SCREENSHOT SPAM-MAIL

DOMAIN(s) INVOLVED:

 http://www.allesunverbindlich.com/

• https://www.virustotal.com/de/url/a50a28210fc094a6861f49520a028ebc17ab10217b16e82773672250830131c9/analysis/1393670585/

http://news.online-surftipps.com/

• https://www.virustotal.com/de/url/9b289c2e28e2790291f4b6fad96c31623ea5894c4867379652d4adbda52f3b38/analysis/1393671148/

http://www.tradebutler.de/

• https://www.virustotal.com/de/url/add54dd3214308f79440b4172d96992a26540b194a048ef92fa2b71d70fc3ac5/analysis/1393671238/

ORIGINATING IP:

2.1.8.110

• https://www.virustotal.com/de/url/f511e3823cedc584bdcd55ec4b788197390a851dcf630c4398caba3cbc929d36/analysis/1393671338/

LISTED AT SPAMHAUS (PBL):

• http://www.spamhaus.org/query/bl?ip=2.1.8.110

Email Reputation: Poor

• http://www.senderbase.org/lookup/?search_string=2.1.8.110

GREATSOFTWARE.COM: www.greatsoftware.com & dl.downloadohdooshieyei.com (MALICIOUS DOWNLOADS from NORWAY & FRANCE)

MALWARE SITE (DIRECTLY & INDIRECTLY): MALICIOUS DOWNLOADS

DOMAIN:

http://www.greatsoftware.com/

• https://www.virustotal.com/de/url/944ea52f2622d40e250fca3d82c5b01920482196479a88a5fc7aa55567828d0c/analysis/1393276144/

MALICIOUS LINK:

http://www.greatsoftware.com/image-merger-exe/

• https://www.virustotal.com/de/url/ae080a4ba9dff79029475591902616ccde3860d512fc444d14f7d2fd0f313254/analysis/1393276105/

(DONT) CLICK THE DOWNLOAD BUTTON AND YOU WILL GET THE FILE (MALWARE) 

FROM:
http://dl.downloadohdooshieyei.com/n/12372005/Image%20Merger%20.EXE.exe

• https://www.virustotal.com/de/url/e5a90ede66101c9b432ea464827a5d8c0f47bb8461520eacbea096b4ba9e823a/analysis/1393273342/

(PUA) Win32/FirseriaInstaller.F

• https://www.virustotal.com/de/file/a43fc03c2fc7519029692d6666c54ea5d8ef478748ec893153ee479607324277/analysis/1393273348/

MALICIOUS DOMAIN:

http://dl.downloadohdooshieyei.com/

• https://www.virustotal.com/de/url/ef7757bab9e69849807f527d515ab673778d76a3e3cb8f1d2da775a2d5dfb199/analysis/1393274740/

SPAM: "Pures Verwöhnprogramm" emv-info.hotelreservierung.de (FRANCE)

MALICIOUS DOMAIN: SPAM & PHISHING SCAM (FRANCE)

ORIGINATING IP ADRESS:

2.1.14.110

• https://www.virustotal.com/de/url/5daa82f054d1922a3ee933df19c8e85c6798db2f94bd03335d629588349fe817/analysis/1391807477/

LISTED AT SPAMHAUS:

• http://www.spamhaus.org/query/bl?ip=2.1.14.110

Email Reputation: Poor

• http://www.senderbase.org/lookup/?search_string=2.1.14.110

emv-info.hotelreservierung.de

• https://www.virustotal.com/de/url/68cf71f26c2b4e5ef62d3fc27600ed4dc7c1086101b89194092ae84a3fd93340/analysis/1391806480/

• http://www.UnmaskParasites.com/security-report/?page=www.hotelreservierung.de

CONNECTED SPAM DOMAINS:

ads.unister-gmbh.de

• https://www.virustotal.com/de/url/f046bd900cae54568f25063533aeddb8f685ce58b24066f37357fba10e1a2e23/analysis/1391806371/

• https://www.mywot.com/en/scorecard/ads.unister-gmbh.de

crm.hotelreservierung.de

• https://www.virustotal.com/de/url/e82ecd62ab91a3b4792554b117d55deaabc5820d89bdfc8aef7dcf3a4a87aeb7/analysis/1391806614/

www.ab-in-den-urlaub.de

• https://www.virustotal.com/de/url/a368e6a05fd18af9554b616f32e8fab1797d8baab9f67c2585b6f9d72f3ff254/analysis/1391806780/

INFECTED: tarabiscot.free.fr HEUR:Trojan.Script.Generic (FRANCE)

MALICIOUS DOMAIN: RBN 73

tarabiscot.free.fr

• https://www.virustotal.com/de/url/eee02c8b0bc0f5a7a61b5433db103b962dcfa4e6cb06e9b1512909abcb36a014/analysis/1390833650/

INFECTED WITH: HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/8051a2477f0a79811fce048efa0c41e224aab909cc87df43d47a615560c8c85c/analysis/1390834277/

• http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=tarabiscot.free.fr

• http://zulu.zscaler.com/submission/show/2b5d08d924c965ff3c023d2c4f994e87-1390833696

• http://jsunpack.jeek.org/?report=2bb5070ae0c68c628d7fe1b2b80ea59f9f0af254

• http://www.urlvoid.com/scan/tarabiscot.free.fr/

• http://urlquery.net/report.php?id=9019600

---> REMOTE

www.managementhouse.it/X1eqVXuP.php?id=52441323

• https://www.virustotal.com/de/url/7b9280a92f0ac026b068e86f2a9ece67c955e3ca43601a593389c5f3f760505a/analysis/1390834619/

• https://www.virustotal.com/de/file/680c91b576621427e4795f80d603cfb3c536f57b98c45a70a12f80f65bb3c9e6/analysis/1390833815/

--->

sexshopsexy.es/waser.html

• https://www.virustotal.com/de/url/9d71724af54a74209f495b747c83b5610f41eaaaecb879007e4f6d7b6f2607d2/analysis/1390834924/

• https://www.virustotal.com/de/file/80218063480d86ddcf2a5bdb3c0e8b67ca5e192a18fa38b74f71b8e7a6949f3c/analysis/1390834708/

--->

dnn506yrbagrg.cloudfront.net/pages/scripts/0018/9762.js?386342

• https://www.virustotal.com/de/url/1e2666229a04b567448ad4480f2b7b981526aaa8d0a243ca75c40de3c8b47511/analysis/1390835245/
  
  

NEW MALWARE CODE: Trojan-Clicker.HTML.IFrame.api & Trojan.JS.Agent.cfe & Trojan.JS.Agent.cff & Trojan.JS.Agent.cfg found on iprostate.org (FRANCE) & 89.161.179.50 (POLAND) & aixuaxoh.corpellis.com (FRANCE)

MALICIOUS DOMAIN INFECTED:

iprostate.org

• https://www.virustotal.com/de/url/60a26b91beaa3f637236fd90c0337dbbbbca80eeef890fe65ccf4e08d1e47dcf/analysis/1390565063/



NEW MALICIOUS CODE: Trojan-Clicker.HTML.IFrame.api

• https://www.virustotal.com/de/file/e985726550f1e3d0e509d7b137b0fb8e638e0206be3dac95aa3374b68b75f9c4/analysis/1390565399/

• http://wepawet.iseclab.org/view.php?hash=95b6d14c905bb68bb00acc216aeee6ea&t=1390565037&type=js

• http://jsunpack.jeek.org/?report=544ce445dec7f573fde5dbae940cf8e1a877d501

• http://www.urlvoid.com/scan/iprostate.org/

--->

 
DOMAIN: (POLAND)

89.161.179.50

• https://www.virustotal.com/de/url/3eb048bbc38acf47bc1fc56d6ba0bca27af49befb9501ba7e6217f1fd1f855a8/analysis/1390566648/

INFECTED WITH: JS:Includer-APY [Trj] & Trojan.JS.Blacole.Gen

• https://www.virustotal.com/de/file/e7b478aeb97b77d2b7603ec9b3c01a67c9283b5773dc220fa181aec6b106502c/analysis/1390566981/

• http://urlquery.net/report.php?id=8956027

• http://wepawet.iseclab.org/view.php?hash=71f5f7a455f222fa3632d2fa5513d733&t=1390567166&type=js

• http://jsunpack.jeek.org/?report=d0d24f41d2763479e8bdd80e573321b1495b3ee5

89.161.179.50/AC_RunActiveContent.js

• https://www.virustotal.com/de/url/46559ae6b42b98f6a5636e639f20cf218a21dbe4e74bde08627368d5e4004efa/analysis/1390567518/

NEW MALICIOUS CODE: Trojan.JS.Agent.cfg

• https://www.virustotal.com/de/file/8dd5ca26ad29dbb78104867199d67d6cf93115b3af206c434470d8f896c6df6b/analysis/1390567519/

SPECIFIC REMOTE LINK:

89.161.179.50/pub/MQZ11znP.php?id=27367098

• https://www.virustotal.com/de/url/db69ece38e9a7d922b2fc7f4363d7c763e1f7393e7f60aeb049334e56b25324d/analysis/1390565939/

NEW MALICIOUS CODE: Trojan.JS.Agent.cfe

• https://www.virustotal.com/de/file/da207e5f0c04455f4a759e81fa7930be4e92bff35786ac69fa647c31588bd0dd/analysis/1390565729/

--->

DOMAIN:

aahaimie.corpellis.com

• https://www.virustotal.com/de/url/74b62220ddfd4194ec8353076c5a47dc6d75169cee68a0b1b04183042ea90971/analysis/1390566439/


SPECIFIC REMOTE LINK:

aahaimie.corpellis.com:8000/kbgvqiqyg?bwiossxvihjt=6621548

• https://www.virustotal.com/de/url/716660bdafda01452ff3383dc54d57578b33620ce3f2b60c5a04b085262aa26b/analysis/



NEW MALICIOUS CODE: Trojan.JS.Agent.cff
 

• https://www.virustotal.com/de/file/e7b478aeb97b77d2b7603ec9b3c01a67c9283b5773dc220fa181aec6b106502c/analysis/

--->



DOMAIN: (UKRAINE)

91.217.91.104

• https://www.virustotal.com/de/url/600b14a0354cde620db64861fd6865d7395f8e3cbb744240c842ab09f01fb577/analysis/1390568047/

91.217.91.104//?id=1&se_referer=&charset=utf-8

• https://www.virustotal.com/de/url/b1edaeb1d47b89d2747466822d49aba12752e79a004de1643bca1f70d03f7584/analysis/1390568170/

  -----------------------------------------------------------------------------------

OTHER DOMAINS INVOLVED


1) DOMAIN: (U.S.)

akmc-engg.com

• https://www.virustotal.com/de/url/704c9b0de1bad345c1af1094c1f130a9e3af891aeb5e01aca4634e189ad2cb7f/analysis/1390568688/

SPECIFIC LINK:

akmc-engg.com/cO5hpbRz.php?id=27367098

• https://www.virustotal.com/de/url/15901dee78bb8e1a89187df6e9482f84379cea7ba8f78d2fbb79755058286f19/analysis/1390568698/

• https://www.virustotal.com/de/file/afee46604646db0e32c46dd0f423e1da7c2f9d2a2be31990ab287585f825ba83/analysis/1390566117/

----------------------------------------------------------------------------------- 

2) DOMAIN: (U.S.)

karocchio.eu

• https://www.virustotal.com/de/url/fff4fdeb39bb94d2696dc08f21a116135f90045b60a1c634c48d6f75a9efc81d/analysis/1390569353/

-----------------------------------------------------------------------------------



3) DOMAIN: (ICELAND)

bobomo.mynumber.org

• https://www.virustotal.com/de/url/315bdb1eaf95fcaeb3bf417a5185a4b1b7a69c888a133707df227201cd8c7921/analysis/1390569679/

Dynamic DNS URL

• http://urlquery.net/report.php?id=8956217

• http://www.urlvoid.com/scan/bobomo.mynumber.org/

----------------------------------------------------------------------------------- 

4) DOMAIN: (INDONESIA)

inez.co.id

• https://www.virustotal.com/de/url/a3a8f91034a79665ee1a2c92c8a7d4dcb8536440f4acf9472c2a6650046c4445/analysis/1390570093/

• https://www.virustotal.com/de/file/7212d36a24d79b733ee726e38c0db6734e4a55b290a2680504de57683ed49a07/analysis/1390570210/

• http://www.urlvoid.com/scan/inez.co.id/

SPECIFIC LINK (INFECTED):

inez.co.id/edocus/tSB0NuE7.php?id=19034511

• https://www.virustotal.com/de/url/17b184b7e0f250eda98b7314b3e2316a6540701029647b3814705fddbbde9c57/analysis/1390570447/

 
INFECTED WITH: HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/521de2e5d3c5140f17a06400840f7002bd2ec33f6e085171fc3df768efb4413f/analysis/1390570748/

• https://www.virustotal.com/de/file/b671d0390dcde53d9b0fd1e0bd3a8b145409e57f58b00bc47d11c449037a7468/analysis/1390570733/

• http://jsunpack.jeek.org/?report=d9152fba62fa51859e1955854a0a447e785e73c0

----------------------------------------------------------------------------------- 

5) DOMAIN: (FRANCE) Dynamic DNS URL

www.urofrance.org

• https://www.virustotal.com/de/url/ad735bc21d8858b255a8688cd78c3d04ee7ccf483dfea7e0147a5b92915774f5/analysis/1390571126/

www.urofrance.org/congres-et-formations/calendrier.html

• https://www.virustotal.com/de/url/de91fb23ff3add27e1b0b61c9e6a57043ffe33c927a4bd40201ed79e2ac0f03b/analysis/1390571128/

Dynamic DNS URL

• http://urlquery.net/report.php?id=8956326

-----------------------------------------------------------------------------------

6) DOMAIN: (SWITZERLAND)

www.healthonnet.org

• https://www.virustotal.com/de/url/ffe8ada5a6b6a7eca744223b20087bebb2fe5339ef3b9f983f2e38b62056dada/analysis/1390572210/

• http://quttera.com/detailed_report/www.healthonnet.org

----------------------------------------------------------------------------------- 

7) DOMAIN: (FRANCE) - LINK TO iprostate.org found

www.spdesigner1.com

• https://www.virustotal.com/de/url/aabf7f0ce3e2507fe39cf3a2d7c1488ec96e81bbec5899771bad3944845639e9/analysis/1390573845/

www.spdesigner1.com/js/carouFredSel.js

• https://www.virustotal.com/de/url/87ff75c131dd793787cc905b4c86b65fa62cea025f29ce837efc9863bf003919/analysis/1390574236/

PUA

• https://www.virustotal.com/de/file/babe4ebb46ac2dbe59de631e65409bd31133a3c48b0e3069d8543aed9af13f98/analysis/1386751724/

LINK FOUND TO: iprostate.org

• http://www.UnmaskParasites.com/security-report/?page=www.spdesigner1.com

Security Breach: Former French First Lady Carla Bruni Nude Pictures allow hackers into G20 delegates' computers

Nude pictures of former French first lady Carla Bruni were used to break into the computer systems of dozens of diplomats. The shocking security breach was first discovered at the G20 summit in Paris in February 2011 and may be ongoing.

                                          Carla Bruni & Sarkozy     Photo: AP

“To see naked pictures of Carla Bruni click here” said a message sent to those attending, zhat included finance ministers and central bank representatives.

Bruni, a former supermodel who became President Nicolas Sarkozy’s third wife in 2008, was well known for taking her clothes off in her early career. This prompted many to open an attachment which turned out to be a ‘Trojan’ with an embedded virus, although all recipients could see were the X-rated photographs.

                                                                     Reuters

Once accessed, the Malware infected the computers of senior officials as well as forwarding the offensive email on to other numbers stored on device.

“Almost everybody who received the email took the bait,” said a government source in Paris, saying that this included representatives from the Czech Republic, Portugal, Bulgaria, Hungary and Latvia.

Sarkozy was first embarrassed by nude pictures of Bruni surfacing shortly after their marriage, while they were staying with the Queen at Windsor Castle during a state visit to Britain. (e.g. ROFL)

Bruni, who still uses her maiden name in her career as a pop singer, later changed her image from a Paris sex kitten into a unassuming politician’s wife. The so-called phishing attacks are thought to have originated in China and were aimed at extracting information.

The attacks are still being investigated, and nobody is yet sure what information was distilled.

The United States is thought to have been the main target of the scam.

The cyber attack on the Paris G20 summit took place before the 6th G20 summit in Cannes, in the south of France, which involved big heads of governments. There have been a number of similar attacks in France, leading the country to be proactive in cyber defence.

                         Getty Images

A recent White Paper on Defence and National Security proclaimed cyber attacks as “one of the main threats to the national territory” and “made prevention and reaction to cyber attacks a major priority in the organisation of national security”.

This led to the creation of the French Agency for National Security of Information Systems in 2009. Nicolas Sarkozy, a conservative, lost the presidential election to the Socialist Francois Hollande in 2012 and is now dealing with a range of corruption charges.