Thursday, June 05, 2014

Malcovery Examines GameOver Zeus

What is this graphic about? Read on, Gentle Reader!

Malcovery: Email Based Threat Intelligence and GameOver Zeus

At Malcovery Security we have become EXTREMELY familiar with GameOver Zeus. Our malware analysts create multiple reports each day documenting the top Email-based threats, and as the FBI's news releases (covered earlier this week in this blog, see Is it GameOver for GameOver Zeus? document, the criminals behind GameOver Zeus have been devastatingly thorough in compromising computers. Unlike some sandboxes, when Malcovery reports on a piece of malware, we actually report on "the activity that would result on a computer compromised by this malware" in a holistic view that we call Contextual Analysis. The goal of Malware Contextual Analysis is to help answer questions like:

  • How would one of my users likely be infected by this malware?
  • What email subjects or messages may have sent this malware?
  • Did that spam campaign deliver other malicious attachment or malicious URLs?
  • If one of my users were compromised by this malware, what network activity may result?
  • What additional malicious files might be downloaded by a computer compromised with this malware?
  • . . . and other questions, depending on the nature of the malware
Malcovery's main Malware Threat Intelligence analyst, Brendan Griffin, has shared a special report called The Many Faces of GameOver Zeus that examines many of the ways the malware has been delivered via spam campaigns. In this blog post, I'll be focusing on the Prominent IP addresses associated with the "Encrypted Drop" version of GameOver Zeus distribution.

GameOver Zeus's Encrypted Drop Sites

Back in February, Malcovery reported that GameOver Zeus was being prominently loaded by means of UPATRE malware downloading an Encrypted file from the Internet, and then executing that file. (See our post: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security) With GameOver Zeus possibly taking a significant hit due to the coordinated law enforcement and researcher efforts, I wanted to look at the network infrastructure that we have been warning about in our T3 reports, and just illustrate how the T3 reports can be used to alert you to activity not just from the current day's malware, but for malware that touches any part of the extensive shared infrastructure of GameOver Zeus.

Since that initial post, we've seen GameOver Zeus-related encrypted files drop from more than 200 different internet locations, get decrypted by the Dropper malware, and execute themselves to begin communicating with the Peer to Peer GameOver Zeus infrastructure. The full list of many of those URLs, with the date on which we saw the spam campaign, the brand, item or company being imitated in that spam campaign, and the URLs where the GOZ binary were accessed, is available at the end of this article. Here is a sampling of some of the most recent ones for now to help understand the process...

2014-05-13 Xerox url::moraza.com.my/images/1305UKdp.zip
2014-05-13 NatWest url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip
2014-05-14 Microsoft url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc
2014-05-14 Sage url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc
2014-05-14 Intuit url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-14 NatWest url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc
2014-05-14 ADP url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-15 eFax url::factoryrush.com/test/1505UKmp.zip
2014-05-15 UK Ministry of Justice url::sugarlandrx.com/media/css/1505UKdp.zip
2014-05-15 eFax url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15 Fidelity url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15 Dun & Bradstreet url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-16 Bank of America url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar
2014-05-19 Santander url::paperonotel.com/Scripts/heap170id2.exe
2014-05-19 Wells Fargo url::mersinprefabrik.com/Css/1905USmw.dct
2014-05-20 HSBC url::task-team.com/css/2005UKmw.zip
2014-05-20 NYC Govt url::lospomos.org/images/button/2005USmw.zip
2014-05-20 UPS url::alamx.com/images/RCH2005.zip
2014-05-20 UPS url::evedbonline.com/images/RCH2005.zip
2014-05-20 Royal Bank of Scotland url::lospomos.org/images/button/2005UKmw.zip
2014-05-20 LexisNexis url::evedbonline.com/images/RCH2005.zip
2014-05-21 Credit Agricole url::eleanormcm.com/css/2105UKdp.rar
2014-05-21 HSBC url::cedargrill.sg/css/2105UKdw.rar
2014-05-21 HSBC url::chezalexye.com/css/2105UKdw.rar
2014-05-21 JP Morgan url::footballmerch.com/media/css/Targ-2105USmw.tar
2014-05-27 Hewlett-Packard url::lotwatch.net/images/2705UKdp.rar
2014-05-27 Xerox url::auracinematics.com/acc/b02.exe
2014-05-29 Visa url::qadindunyasi.az/images/Targ-2905USmp.tar
2014-05-30 Sky url::3dparsian.com/images/banners/3005UKdp.rar
2014-05-30 HSBC url::bag-t.com/css/3005UKmw.rar
2014-05-30 HSBC url::seminarserver.com/html/3005UKmw.rar

For each of the campaigns above, Brendan, Wayne, and J, our malware analysis team, pushed out both an XML and STIX version of the machine readable T3 reports so that our customers could update themselves with information about the spam campaign, the IP addresses that sent that spam to us, the hashes of the spam attachment, the hostile URLs, and the IP addresses associated not only with the GameOver Zeus traffic, but whatever other malware was dropped in the same campaign. As the FBI indicated, it was extremely common for GameOver Zeus infected computers to ALSO become infected with CryptoLocker.

T3: Protection for Today and Tomorrow

But how often did we see "re-use" of network infrastructure? We like to say that Malcovery's T3 report, which stands for Today's Top Threat, is really "T3: Protection for Today and Tomorrow". To illustrate this, I did some data mining in Malcovery's Threat Intelligence database.

First - I isolated network activity for the 92 distinct spam campaigns illustrated above. (There were many more GameOver Zeus campaigns than that, but I was sticking to those samples that used the "encrypted file decrypted by the dropper" version that I had written about in February, so this is a sampling ...)

For each IP address that showed up in network traffic within those 92 campaigns, ranging from February 6, 2014 to May 30, 2014, I counted how many distinct campaigns that indicator had been seen in. Fifty-six IP addresses showed up in ten or more of those campaigns.

I took those IP addresses, and asked the Malcovery Threat Intelligence Database "which spam campaigns delivered malware that caused traffic to those IP addresses?" and was surprised to see not just the original 92 campaign I started with, but 360 distinct spam campaigns!! I culled that down by eliminating the campaigns that only touched ONE of those 56 IP addresses of high interest. The remaining 284 campaigns could be placed into 103 groups based on what they were imitating. Most of the top brands should be familiar to you from Malcovery's Top 10 Phished Brands That Your Anti-Virus is Missing report.

Brand Imitated in Spam# of Campaigns Seen
Ring Central 30 campaigns
HMRC 15 campaigns
HSBC 13 campaigns
Royal Bank of Scotland 14 campaigns
NatWest 11 campaigns
eFax 11 campaigns
Sage 10 campaigns
Lloyds Bank 8 campaigns
UK Government Gateway 8 campaigns
Xerox 8 campaigns
ADP 6 campaigns
Companies House 6 campaigns
IRS 6 campaigns
New Fax 5 campaigns
Paypal 5 campaigns
Sky 5 campaigns
UPS 5 campaigns
Amazon 4 campaigns
Bank of America 4 campaigns
BT.com 4 campaigns
Microsoft 4 campaigns
QuickBooks 4 campaigns
Wells Fargo 4 campaigns
WhatsApp 4 campaigns

I threw the data into IBM's i2 Analyst Notebook, my favorite tool for getting a quick visualization of data, and did some arrangement to try to show the regionality of the data. I know the graph is too dense to see what is in the interior, but let me explain it here:

On the left are IP addresses that are owned by Microsoft. They are arranged by Netblock, with the size of the Computer icon representing how many malware campaigns that IP was linked to. Top to bottom numerically by Netblock, these are from the 23.96 / 23.98 / 137.116, 137.135, 138.91, 168.61, 168.63, 191.232 blocks. The Microsoft traffic only started appearing in late April, so it is possible this is traffic related to "sinkholing" or attempting to enumerate the botnet as part of the investigation. I have no insider knowledge of any such activity, just stating what we observed. We *DID* go back and look at the packet captures for these runs (we keep all of our PCAPs) and the traffic was exactly like the other Peer to Peer chatter for GameOver Zeus.

On the top are IP addresses in APNIC countries. Flag test: Japan, Hong Kong, China

On the right are IP addresses in ARIN countries. (Canada, USA)

In the bottom right corner is one LACNIC IP. (Venezuela)

And on the bottom are RIPE countries. (Netherlands, Moldova, Switzerland, Great Britain, Ukraine, Sweden, Belgium, France, and Austria)

The IP addresses on the chart above are also included here in tabular form:

Prominent IP addresses Associated with GameOver Zeus and associated malware

CountryASN#ASN OrganizationIP
CN 4837 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN 221.193.254.122
HK 4515 ERX-STAR PCCW IMSBiz,HK 113.28.179.100
HK 9269 HKBN-AS-AP Hong Kong Broadband Network Ltd.,HK 61.244.150.9
HK 4760 HKTIMS-AP PCCW Limited,HK 218.103.240.27
JP 9365 ITSCOM its communications Inc.,JP 101.111.248.177
JP 45687 MCT-INTERNET Minamikyusyu CableTV Net Inc.,JP 27.54.110.77
JP 38628 WINK-NET HIMEJI CABLE TELEVISION CORPORATION,JP 115.126.143.176
JP 9617 ZAQ KANSAI MULTIMEDIA SERVICE COMPANY,JP 125.4.34.229
CA 577 BACOM - Bell Canada,CA 174.89.110.91
US 36352 AS-COLOCROSSING - ColoCrossing,US 172.245.217.122
US 22773 ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc.,US 98.162.170.4
US 7018 ATT-INTERNET4 - AT&T Services, Inc.,US 75.1.220.146
US 7018 ATT-INTERNET4 - AT&T Services, Inc.,US 99.73.173.219
US 33588 BRESNAN-AS - Charter Communications,US 184.166.114.48
US 6128 CABLE-NET-1 - Cablevision Systems Corp.,US 68.197.193.98
US 6128 CABLE-NET-1 - Cablevision Systems Corp.,US 75.99.113.250
US 33490 COMCAST-33490 - Comcast Cable Communications, Inc.,US 67.168.254.65
US 7015 COMCAST-7015 - Comcast Cable Communications Holdings, Inc,US 73.182.194.83
US 6939 HURRICANE - Hurricane Electric, Inc.,US 50.116.4.71
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 137.116.225.57
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 137.116.229.40
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 137.117.197.214
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 137.117.72.241
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 137.135.218.230
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 138.91.18.14
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 138.91.187.61
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 138.91.49.30
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 168.61.80.142
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 168.61.87.1
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 168.63.154.114
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 168.63.211.182
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 168.63.62.72
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 23.96.34.43
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 23.97.133.13
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 23.98.41.229
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 23.98.42.224
US 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 23.98.64.182
BR 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 191.234.43.118
BR 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 191.234.52.206
BR 8075 MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation,US 191.236.85.223
VE 8048 CANTV Servicios, Venezuela,VE 190.37.198.162
AT 8437 UTA-AS Tele2 Telecommunication GmbH,AT 81.189.6.76
BE 5432 BELGACOM-SKYNET-AS BELGACOM S.A.,BE 194.78.138.100
CH 15600 FINECOM Finecom Telecommunications AG,CH 77.239.59.243
FR 16276 OVH OVH SAS,FR 94.23.32.170
GB 2856 BT-UK-AS BTnet UK Regional network,GB 109.153.212.95
GB 2856 BT-UK-AS BTnet UK Regional network,GB 213.120.146.245
GB 2856 BT-UK-AS BTnet UK Regional network,GB 86.159.38.32
MD 31252 STARNET-AS StarNet Moldova,MD 89.28.59.166
NL 1103 SURFNET-NL SURFnet, The Netherlands,NL 130.37.198.100
NL 1103 SURFNET-NL SURFnet, The Netherlands,NL 130.37.198.90
SE 39287 FLATTR-AS Flattr AB,SE 95.215.16.10
UA 13188 BANKINFORM-AS TOV _Bank-Inform_,UA 37.57.41.161
UA 21219 DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA 195.114.152.188
UA 42471 FALSTAP-AS OOO TRK Falstap,UA 85.198.156.189
UA 29688 VOSTOKLTD VOSTOK Ltd.,UA 31.42.75.203

Encrypted GameOver Zeus URLs seen by Malcovery

2014-02-06 UK Govt Gateway url::newz24x.com/wp-content/uploads/2014/02/pdf.enc
2014-02-06 UK Govt Gateway url::oilwellme.com/images/banners/pdf.enc
2014-02-06 TNT UK url::newz24x.com/wp-content/uploads/2014/02/pdf.enc
2014-02-06 TNT UK url::oilwellme.com/images/banners/pdf.enc
2014-02-10 UK2fax url::agrimarsystem.pe/images/10UKrh.enc
2014-02-10 UK2fax url::pro-viewer.com/images/10UKrh.enc
2014-02-12 Royal Bank of Scotland url::buzzers.in/media/catalog/category/12UKp.mp3
2014-02-12 Royal Bank of Scotland url::erp.zebronics.com/images/12UKp.mp3
2014-02-18 RingCentral url::iatablet.com/oc-content/uploads/HTML/al1402.pic
2014-02-18 RingCentral url::vietdongatravel.com/image/data/logo/al1402.pic
2014-03-05 Standard Chartered Bank url::broadproductz.zapto.org/ndu/guru/config.bin
2014-03-05 Standard Chartered Bank url::broadproductz.zapto.org/ndu/guru/gate.php
2014-03-06 RingCentral url::thebaymanbook.com/wp-content/uploads/2014/03/al2602.big
2014-03-06 RingCentral url::dominionfoodie.com/images/al2602.big
2014-03-06 Adobe url::cdn.cmatecdnfast.us/os/js/OfferScreen_240_EN.zip
2014-03-06 Adobe url::cdn.cmatecdnfast.us/os/js/OfferScreen_260_EN.zip
2014-03-06 Adobe url::cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip
2014-03-06 Adobe url::cdn.eastwhitecoal.us/Advertisers/FlashPlayer_Installer.exe
2014-03-06 Adobe url::downloadupdates.in/MB1/downloadupdate.in/style.css
2014-03-06 Adobe url::downloadupdates.in/MB1/flash_thankyou.php
2014-03-06 French Government url::adultagencyads.com/images/2010/0603UKp.big
2014-03-06 French Government url::trudeausociety.com/images/flash/0603UKp.big
2014-03-18 Citi url::jswcompounding-usa.com/images/TARGT.tp
2014-03-18 Citi url::thesymptomatologynetwork.com/images/TARGT.tp
2014-03-20 BankofAmerica url::lovestogarden.com/images/general/TARGT.tpl
2014-03-20 BankofAmerica url::villaveronica.it/gallery/TARGT.tpl
2014-03-21 Companies House url::fidaintel.com/images/2103UKp.qta
2014-03-21 Companies House url::premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta
2014-03-21 New Fax url::gulf-industrial.com/images/2103USa.qta
2014-03-21 QuickBooks url::bodyfriend.co.uk/images/2103USp.qta
2014-03-21 QuickBooks url::overtonsheepfair.co.uk/wp-content/uploads/2012/06/2103USp.qta
2014-03-27 Banque Populaire url::myeapp.com/wp-content/uploads/2014/03/TARG1.git
2014-03-27 Banque Populaire url::ramirezcr.com/images/TARG1.git
2014-03-27 HSBC url::knockoutsecrets.com/wp-content/uploads/2014/03/2703UKc.git
2014-03-27 HSBC url::vequi.com/images/2703UKc.git
2014-03-28 Sky url::hardmoneylenderslosangeles.com/abc/2803UKd.wer
2014-03-28 Sky url::igsoa.net/Book/2803UKd.wer
2014-03-28 Sage url::hardmoneylenderslosangeles.com/abc/2803UKd.wer
2014-03-28 Sage url::igsoa.net/Book/2803UKd.wer
2014-03-31 Voicemail Message url::albergolarese.com/css/3103UKm.rih
2014-03-31 Voicemail Message url::direttauto.com/scripts/3103UKm.rih
2014-03-31 Lloyds Bank url::bormanns-wetter.de/scripts/3103UKd.rih
2014-03-31 Lloyds Bank url::brucewhite.org/images/3103UKd.rih
2014-04-01 RingCentral url::atlantafloorinstallation.com/wp-content/plugins/akismet/index.zpi
2014-04-01 RingCentral url::ayat.onlinewebshop.net/img/index.zpi
2014-04-01 Royal Bank of Scotland url::miss-loly.com/Scripts/0104UKd.bis
2014-04-01 Royal Bank of Scotland url::photovolt.ro/script/0104UKd.bis
2014-04-01 eFax url::apacsolutions.com/test/Targ-0104USr.bis
2014-04-01 eFax url::cfklc.com/downloads/Targ-0104USr.bis
2014-04-01 Wells Fargo url::all-products.biz/css/Targ-0104USd.bis
2014-04-01 Wells Fargo url::smokeylegend.com/css/Targ-0104USd.bis
2014-04-01 Xerox url::atifmalikmd.org/css/Targ-0104USm.bis
2014-04-01 Xerox url::contactdbinc.com/css/Targ-0104USm.bis
2014-04-07 New Fax url::abwidiyantoro.com/images/0804UKm.jpi
2014-04-07 New Fax url::kworldgroup.com/css/0804UKc.jpi
2014-04-07 New Fax url::rainda.com/css/0804UKc.jpi
2014-04-07 New Fax url::robertcairns.co.uk/wp-content/uploads/2014/04/0804UKm.jpi
2014-04-07 NY Dept of Taxation and Finance url::gisticinc.com/wp-content/uploads/2014/04/0804UKr.jpi
2014-04-07 NY Dept of Taxation and Finance url::vtiger.gisticinc.com/test/logo/0804UKr.jpi
2014-04-08 Swiftpage, Inc url::isapport.com/Images/n0804UKm.dim
2014-04-08 Swiftpage, Inc url::metek-mkt.com/images/scripts/n0804UKm.dim
2014-04-09 HSBC url::musicbanda.com/css/0904UKd.rar
2014-04-09 HSBC url::sunsing.com.sg/images/0904UKd.rar
2014-04-09 New Fax url::renaissancepmc.com/scripts/0904US.rar
2014-04-09 New Fax url::thegrandbasant.com/img/icons/0904US.rar
2014-04-10 Xerox url::ebazari.com/uploads/brands/Targ-1004USr.enc
2014-04-10 Xerox url::rollonskips.com/images/banners/Targ-1004USr.enc
2014-04-14 Santander url::vv-international.eu/food/1404UKd.rar
2014-04-17 PayPal url::artncraftemporio.com/media/css/1704UKd.rar
2014-04-17 PayPal url::hrprovider.com/img/img/1704UKd.rar
2014-04-17 PayPal url::artncraftemporio.com/media/css/1704UKd.rar
2014-04-17 PayPal url::hrprovider.com/img/img/1704UKd.rar
2014-04-17 IRS url::fergieandco.org/wp-content/uploads/2014/03/Targ-1704USd.rar
2014-04-17 IRS url::newsilike.in/wp-content/lbp-css/black/Targ-1704USd.rar
2014-04-23 Royal Bank of Scotland url::aoneteleshop.com/images/payments/s2304UKd.rar
2014-04-23 Royal Bank of Scotland url::czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar
2014-04-23 Companies House url::aoneteleshop.com/images/payments/s2304UKd.rar
2014-04-23 Companies House url::www.czargroup.net/wp-content/uploads/2014/04/s2304UKd.rar
2014-04-24 Generic Voicemail url::dotspiders.sg/test/clocks/2404UKs.tar
2014-04-24 Generic Voicemail url::mc-saferentals.com/images/2404UKs.tar
2014-04-25 Unity Messaging System url::altpowerpro.com/images/stories/highslide/Targ-2404USm.tar
2014-04-25 Unity Messaging System url::tmupi.com/media/images/icons/team/Targ-2404USm.tar
2014-04-29 Citi url::capsnregalia.com/download/2904UKpm.zip
2014-04-29 Citi url::perfumeriaamalia.com/images/stories/2904UKpm.zip
2014-04-30 UK Gov't Gateway url::factoryrush.com/boxbeat/uploads/3004UKdp.tar
2014-04-30 UK Gov't Gateway url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar
2014-04-30 Sky url::factoryrush.com/boxbeat/uploads/3004UKdp.tar
2014-04-30 Sky url::vestury.com/js/fckeditor/editor/js/3004UKdp.tar
2014-04-30 IRS url::capsnregalia.com/download/scripts/Targ-3004USmp.tar
2014-04-30 IRS url::worldbuy.biz/scripts/Targ-3004USmw.tar
2014-05-05 Microsoft url::iknowstudio.com/scripts/0505USdw.dat
2014-05-05 Microsoft url::luxesydiseno.com/images/stories/brands/0505USdw.dat
2014-05-06 BT.com url::BIZ-VENTURES.NET/scripts/0605UKdp.rar
2014-05-06 BT.com url::realtech-international.com/css/0605UKdp.rar
2014-05-06 HMRC url::BIZ-VENTURES.NET/scripts/0605UKdp.rar
2014-05-06 HMRC url::realtech-international.com/css/0605UKdp.rar
2014-05-06 Generic Voicemail url::oligroupbd.com/images/Targ-0605USmw.enc
2014-05-06 Generic Voicemail url::touchegolf.com/css/Targ-0605USmw.enc
2014-05-06 US Postal Service url::eirtel.ci/images/0605USdw.enc
2014-05-06 US Postal Service url::smartsolutions.ly/css/0605USdw.enc
2014-05-07 Bank of America url::addcomputers.com/downloads/Targ-0705USmw.enc
2014-05-07 Bank of America url::mindinstitute.ro/images/Targ-0705USmw.enc
2014-05-07 NYC Govt url::addcomputers.com/downloads/Targ-0705USmw.enc
2014-05-07 NYC Govt url::mindinstitute.ro/images/Targ-0705USmw.enc
2014-05-07 BT.com url::k-m-a.org.uk/images/jquerytree/0705USmp.enc
2014-05-07 BT.com url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc
2014-05-07 NatWest url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip
2014-05-07 NatWest url::generation.com.pk/flash/0705UKmp.zip
2014-05-07 Swiftpage url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip
2014-05-07 Swiftpage url::generation.com.pk/flash/0705UKmp.zip
2014-05-07 Swiftpage url::bumisaing.com/wpimages/wpThumbnails/0705UKmp.zip
2014-05-07 Swiftpage url::generation.com.pk/flash/0705UKmp.zip
2014-05-07 QuickBooks url::k-m-a.org.uk/images/jquerytree/0705USmp.enc
2014-05-07 QuickBooks url::tuckerspride.com/wp-content/uploads/2014/05/0705USmp.enc
2014-05-08 Companies House url::accessdi.com/wp-content/uploads/2014/05/0805UKdp.dat
2014-05-08 Companies House url::mpharmhb.com/images/banners/0805UKdp.dat
2014-05-08 Paychex url::localalarmbids.com/wp-content/uploads/2012/12/0805USmp.rar
2014-05-08 Paychex url::pharmaholic.com/images/banners/0805USmp.rar
2014-05-12 NatWest url::plvan.com/css/1205UKdm.tar
2014-05-12 NatWest url::srhhealthfoods.com/test/1205UKdm.tar
2014-05-12 ADP url::datanethosting.com/css/Targ-1205USmp.enc
2014-05-12 ADP url::distrioficinas.com/fonts/Targ-1205USmp.enc
2014-05-12 Royal Bank of Scotland url::plvan.com/css/1205UKdm.tar
2014-05-12 Royal Bank of Scotland url::srhhealthfoods.com/test/1205UKdm.tar
2014-05-13 IRS url::consumerfed.net/css/1305UKmw.zip
2014-05-13 IRS url::irishtroutflies.ie/images/1305UKmw.zip
2014-05-13 NYC Govt url::loquay.com/css/1305UKdp.zip
2014-05-13 NYC Govt url::moraza.com.my/images/1305UKdp.zip
2014-05-13 Xerox url::loquay.com/css/1305UKdp.zip
2014-05-13 Xerox url::moraza.com.my/images/1305UKdp.zip
2014-05-13 NatWest url::luxesydiseno.com/images/powerslide/Concha/1305UKdw.zip
2014-05-13 NatWest url::paulaggg.com/css/1305UKdw.zip
2014-05-14 Microsoft url::djdawson.com/css/1405UKdw.enc
2014-05-14 Microsoft url::elpenterprisesinc.com/wp-content/uploads/2014/05/1405UKdw.enc
2014-05-14 Sage url::ballroom-intergalactica.com/wp-content/themes/twentythirteen/css/1405UKdp.enc
2014-05-14 Sage url::indoorea.com/webfiles/css/1405UKdp.enc
2014-05-14 Intuit url::martabrixton.com/css/Targ-rhc1405.dat
2014-05-14 Intuit url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-14 NatWest url::jessicahann.co.uk/wp-content/uploads/2013/13/1405UKmp.enc
2014-05-14 NatWest url::mortgagebidders.ca/fonts/1405UKmp.enc
2014-05-14 ADP url::martabrixton.com/css/Targ-rhc1405.dat
2014-05-14 ADP url::mindinstitute.ro/Web3/Upload/Targ-rhc1405.dat
2014-05-15 eFax url::factoryrush.com/test/1505UKmp.zip
2014-05-15 eFax url::techwin.com.pk/css/1505UKmp.zip
2014-05-15 UK Ministry of Justice url::floworldonline.com/wp-content/uploads/2014/04/1505UKdp.zip
2014-05-15 UK Ministry of Justice url::sugarlandrx.com/media/css/1505UKdp.zip
2014-05-15 eFax url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15 eFax url::entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15 eFax url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15 Fidelity url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15 Fidelity url::entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15 Fidelity url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15 Dun & Bradstreet url::dubaimovers.info/scripts/Targ-1505USdp.tar
2014-05-15 Dun & Bradstreet url::entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-15 Dun & Bradstreet url::www.entrepreneurindia.com/css/Targ-1505USdp.tar
2014-05-16 Bank of America url::gmdf.net/js/Targ-1605USdw.tar
2014-05-16 Bank of America url::gmdf.net/js/Targ-1605USdw.tar
2014-05-16 Bank of America url::kuukaarr01.com/wp-content/uploads/2014/05/Targ-1605USdp.tar
2014-05-16 Bank of America url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar
2014-05-16 Bank of America url::kuukaarr02.com/wp-content/uploads/2014/05/Targ-1605USdw.tar
2014-05-16 Bank of America url::malkanat.com/images/Targ-1605USdp.tar
2014-05-16 Bank of America https://dl.dropboxusercontent.com/s/vfoim5op006sjdv/SecureMessage.zip
2014-05-16 Bank of America https://dl.dropboxusercontent.com/s/xn26h1fppik5np6/BankofAmerica.scr
2014-05-19 Santander url::aanchalgroup.com/wp-content/uploads/2013/09/1905UKdp.zip
2014-05-19 Santander url::albus-capital.com/css/1905UKdp.zip
2014-05-19 Santander url::paperonotel.com/Scripts/heap170id2.exe
2014-05-19 Wells Fargo url::mersinprefabrik.com/Css/1905USmw.dct
2014-05-19 Wells Fargo url::paperonotel.com/Scripts/heap170id2.exe
2014-05-19 Wells Fargo url::seminarserver.com/css/1905USmw.dct
2014-05-20 HSBC url::lospomos.org/images/button/2005UKmw.zip
2014-05-20 HSBC url::task-team.com/css/2005UKmw.zip
2014-05-20 NYC Govt url::lospomos.org/images/button/2005USmw.zip
2014-05-20 NYC Govt url::task-team.com/css/2005USmw.zip
2014-05-20 UPS url::auracinematics.com/christine/Christine/2005USdp.zip
2014-05-20 UPS url::protecca.com/fonts/2005USdp.zip
2014-05-20 UPS url::alamx.com/images/RCH2005.zip
2014-05-20 UPS url::evedbonline.com/images/RCH2005.zip
2014-05-20 Royal Bank of Scotland url::lospomos.org/images/button/2005UKmw.zip
2014-05-20 Royal Bank of Scotland url::task-team.com/css/2005UKmw.zip
2014-05-20 LexisNexis url::alamx.com/images/RCH2005.zip
2014-05-20 LexisNexis url::evedbonline.com/images/RCH2005.zip
2014-05-21 Credit Agricole url::eleanormcm.com/css/2105UKdp.rar
2014-05-21 Credit Agricole url::frizou.org/06-images/2105UKdp.rar
2014-05-21 Credit Agricole url::paperonotel.com/Scripts/heap170id2.exe
2014-05-21 HSBC url::cedargrill.sg/css/2105UKdw.rar
2014-05-21 HSBC url::chezalexye.com/css/2105UKdw.rar
2014-05-21 JP Morgan url::footballmerch.com/media/css/Targ-2105USmw.tar
2014-05-21 JP Morgan url::myacoub.com/wp-content/uploads/2014/05/Targ-2105USmw.tar
2014-05-27 Hewlett-Packard url::flutterhost.com/demo/2705UKdp.rar
2014-05-27 Hewlett-Packard url::lotwatch.net/images/2705UKdp.rar
2014-05-27 Xerox url::auracinematics.com/acc/b02.exe
2014-05-27 Xerox url::feelhomely.com/beta/eshopbox/2705USmp.opt
2014-05-27 Xerox url::the-dunn.com/css/2705USmp.opt
2014-05-27 Xerox url::auracinematics.com/acc/b02.exe
2014-05-27 Xerox url::feelhomely.com/beta/eshopbox/2705USmp.opt
2014-05-27 Xerox url::the-dunn.com/css/2705USmp.opt
2014-05-29 Visa url::homerenov.org/wp-content/uploads/2014/05/Targ-2905USmp.tar
2014-05-29 Visa url::qadindunyasi.az/images/Targ-2905USmp.tar
2014-05-30 Sky url::3dparsian.com/images/banners/3005UKdp.rar
2014-05-30 Sky url::kuukaarr01.com/wp-content/themes/twentytwelve/css/3005UKdp.rar
2014-05-30 Sky url::utraconindia.com/images/social/heapid2.exe
2014-05-30 HSBC url::bag-t.com/css/3005UKmw.rar
2014-05-30 HSBC url::seminarserver.com/html/3005UKmw.rar

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.