Thursday, December 30, 2010

Wordpress 3.0.4 released to fix critical security flaws

Well known open source CMS Wordpress posted news regarding their security bug can be fixed with version 3.0.4. New update will fixes core security bug in HTML sanitation library called KSES.

Original article can be obtained from here.

Tuesday, December 28, 2010

Spam & Suspicious link 28-Dec-10 Part 2

109.196.142.42

nisferylos.com
silvecoolg.com


121.9.242.54

52idea.net
gzqnkj.com
hctta.com
hievol.com
qxqy88.com
www.56live.com
zyouqu.com


121.9.242.55

dunsble.cn
szly56.com
www.dunsble.cn


67.228.139.118

67.228.139.118-static.reverse.softlayer.com
bestcounter.co.cc


84.127.113.164

1.oresmir.co.cc


92.60.176.41

3apa6otok.real-host.ru
ageless.org.ua
aleksgood.real-host.ru
babyseo.org.ua
blogagel.org.ua
geroi2012.real-host.ru
goldenchrome.ru
kingfilms.ru
mail.3apa6otok.real-host.ru
mail.ageless.org.ua
mail.aleksgood.real-host.ru
mail.babyseo.org.ua
mail.blogagel.org.ua
mail.clickun.net
mail.geroi2012.real-host.ru
mail.goldenchrome.ru
mail.kingfilms.ru
mail.portal-lubercy.ru
mail.real-host.ru
mail.sergeus200.real-host.ru
mail.styles.org.ua
mail.texdoc.org.ua
mail.url-s.ru
mail.vk-hack.real-host.ru
mail.x-cazino.real-host.ru
mail.xramer.real-host.ru
mail.zasos.us
mail.ziza.us
mail.zosfoftojavc.net.ru
ns1.real-host.ru
portal-lubercy.ru
real-host.ru
sergeus200.real-host.ru
styles.org.ua
texdoc.org.ua
url-s.ru
vk-hack.real-host.ru
vladlen.real-host.ru
wap.real-host.ru
www.real-host.ru
www.url-s.ru
www.ziza.us
x-cazino.real-host.ru
xramer.real-host.ru
zasos.us
ziza.us
zosfoftojavc.net.ru


194.88.11.48

*.eqrdmmknrvsjkxav.org
*.rrpoklnnsurgnu.biz
*.wsjsrvtjsoostho.biz
*.yrsmgopgrwlljp.info
eqrdmmknrvsjkxav.org
expqlojkxytqp.biz
kmoxxksqapno.org
mizscisujqlploko.info
nqjxloetkkjrnnpl.biz
nvokxtrrltxkst.org
nvpvxeuovoptsu.net
orhghwvtrbnoryvr.biz
oryxyioosnrmfvvq.com
pehpnkswnfftvoq.biz
qnjpqrhswwoqljk.biz
qqirlpknpsvppoj.org
refrpyhqxvkmxf.net
roghfznkmydztn.org
root.eqrdmmknrvsjkxav.org
root.rrpoklnnsurgnu.biz
root.wsjsrvtjsoostho.biz
root.yrsmgopgrwlljp.info
rrpoklnnsurgnu.biz
sokpqljlugoour.com
uoipqnvpkwsonjsr.biz
vigvjqpxtmkpoxl.net
vrrltqnrqerszd.info
wquskkrjsbngivt.org
wrpcgwrfjyrlqz.info
wsjsrvtjsoostho.biz
xjrlquusshnjnupy.org
yrsmgopgrwlljp.info
ytlupjhtokqhhqwf.com


60.190.223.208

ihooome.com
jubaos.com
juboss.com
moneyhr.com
sinisie.com


Monday, December 27, 2010

Spam & Suspicious link 28-Dec-10

200.63.45.11

deeperwinnings.com
yourluckyday.info


201.7.103.58

*.ahpezkut.com
*.alhilfaika.com
*.atquackephix.com
*.beststoremedswellbeing.com
*.bestviagrarx.com
*.bobspharmacyrxs.com
*.clajiotsoa.com
*.cviadoaz.com
*.ezloxjib.com
*.foxwyqwac.com
*.futningi.com
*.fyenpimbec.net
*.glagsyclax.com
*.globalmedicalstore.com
*.healthenlargementpill.com
*.hlaedoahma.com
*.hlevombyx.com
*.hovhanjal.com
*.jubyvovvea.net
*.kidqurax.com
*.luagavcol.com
*.lusfidbeu.com
*.nizeigzef.com
*.pharmacydrugmarketguide.com
*.pharmacystonetablets.com
*.qubcicvowy.net
*.qukmifnuo.com
*.qwiquhvyrumy.com
*.qwiquxipijy.com
*.qwyzkiegwy.com
*.ripcapsules.com
*.skajhewsypy.com
*.sohfevevyl.com
*.tabletownhealthrx.com
*.thedrugstorestore.com
*.tuftiqwime.com
*.uflurort.com
*.viahwanmu.com
*.xyhjapquf.net
*.yupdytytix.com
*.zdarganpa.net
*.zmigtyby.com
*.zwaductun.com
admin.bestviagrarx.com
admin.capsulesrxguide.com
admin.clajiotsoa.com
admin.gughixqukk.com
admin.jubyvovvea.net
admin.nizeigzef.com
admin.pharmacydrugmarketguide.com
admin.qugoqudal.com
admin.qwiquxipijy.com
admin.thedrugstorestore.com
admin.zdarganpa.net
admin.zwaductun.com
alhilfaika.com
bestdrugtorepills.com
bestviagrarx.com
clajiotsoa.com
cviadoaz.com
dwocefhial.com
ebsajgij.com
ezloxjib.com
fisysdubb.com
fufyhzeyjhi.com
fwuqko.wisuilufmo.com
fyenpimbec.net
fyxaohziju.com
globalmedicalstore.com
goxtixunas.net
healthenlargementpill.com
hlevombyx.com
hovhanjal.com
jewbezkagr.com
kidqurax.com
ksaebsyrvu.com
lsnlue.redsouk.com
lusfidbeu.com
lyplumudwub.com
mail.aexhagijho.com
mail.ahpezkut.com
mail.alhilfaika.com
mail.bestdrugtorepills.com
mail.beststoremedswellbeing.com
mail.bestviagrarx.com
mail.clajiotsoa.com
mail.cviadoaz.com
mail.djiatisfu.com
mail.ezloxjib.com
mail.foxwyqwac.com
mail.foxwyqwac.net
mail.fyenpimbec.com
mail.fyenpimbec.net
mail.glagsyclax.com
mail.greatpillreview.com
mail.healthenlargementpill.com
mail.hlevombyx.com
mail.hovhanjal.com
mail.jubyvovvea.net
mail.kidqurax.com
mail.lusfidbeu.com
mail.merfeget.com
mail.nizeigzef.com
mail.pharmacystonetablets.com
mail.qubcicvowy.net
mail.qwiquhvyrumy.com
mail.qwiquxipijy.com
mail.qwyzkiegwy.com
mail.ripcapsules.com
mail.skajhewsypy.com
mail.sohfevevyl.com
mail.tuamecwojl.com
mail.tuftiqwime.com
mail.viahwanmu.com
mail.vnoedcyl.net
mail.xyhjapquf.net
mail.yezuynbez.com
mail.yourtorerx.com
mail.zdarganpa.net
mail.zvymmogwu.net
mail.zwaductun.com
merfeget.com
nizeigzef.com
ns1.aexhagijho.com
ns1.alhilfaika.com
ns1.atquackephix.com
ns1.beststoremedswellbeing.com
ns1.bestviagrarx.com
ns1.bihdeawy.com
ns1.capsulesrxguide.com
ns1.clajiotsoa.com
ns1.cviadoaz.com
ns1.ekhahpaxen.net
ns1.ezloxjib.com
ns1.fisysdubb.com
ns1.foxwyqwac.net
ns1.fufyhzeyjhi.com
ns1.fyenpimbec.com
ns1.glagsyclax.com
ns1.goxtixunas.net
ns1.gughixqukk.com
ns1.healthfoodmedsguide.com
ns1.hlevombyx.com
ns1.jubyvovvea.net
ns1.nizeigzef.com
ns1.pharmacystonetablets.com
ns1.qubcicvowy.net
ns1.qwiquhvyrumy.com
ns1.qwyzkiegwy.com
ns1.thedrugstorestore.com
ns1.tuamecwojl.com
ns1.viahwanmu.com
ns1.xyhjapquf.net
ns1.zdarganpa.net
ns1.zmigtyby.com
ns1.zvymmogwu.net
ns1.zwaductun.com
ns2.aexhagijho.com
ns2.ahpezkut.com
ns2.alhilfaika.com
ns2.atquackephix.com
ns2.bestdrugtorepills.com
ns2.beststoremedswellbeing.com
ns2.bestviagrarx.com
ns2.bihdeawy.com
ns2.clajiotsoa.com
ns2.cviadoaz.com
ns2.ekhahpaxen.net
ns2.ezloxjib.com
ns2.foxwyqwac.com
ns2.fyenpimbec.com
ns2.fyenpimbec.net
ns2.glagsyclax.com
ns2.goxtixunas.net
ns2.greatpillreview.com
ns2.gughixqukk.com
ns2.healthenlargementpill.com
ns2.hlaedoahma.com
ns2.hlevombyx.com
ns2.jewbezkagr.com
ns2.jubyvovvea.net
ns2.nizeigzef.com
ns2.pharmacystonetablets.com
ns2.qubcicvowy.net
ns2.qugoqudal.com
ns2.qwiquhvyrumy.com
ns2.qwyzkiegwy.com
ns2.tuamecwojl.com
ns2.viahwanmu.com
ns2.vnoedcyl.net
ns2.xyhjapquf.net
ns2.yupdytytix.com
ns2.zdarganpa.net
ns2.zmigtyby.com
ns2.zwaductun.com
oiggemzerfy.net
pharmacystonetablets.com
prescriptionmarketpills.com
qubcicvowy.net
qwiquhvyrumy.com
qwiquxipijy.com
qwofyuhl.net
qwuxiccy.com
qwyzkiegwy.com
qwymmarhagi.com
redsouk.com
rxstoreguide.com
seuksagyn.com
skajhewsypy.com
tabletsdiscountrxmeds.com
tuamecwojl.com
viahwanmu.com
www.bestviagrarx.com
www.clajiotsoa.com
www.pharmacydrugmarketguide.com
www.seuksagyn.com
www.thedrugstorestore.com
www.zwaductun.com
www.qwymmarhagi.com
wwwdrugmart.com
xyhjapquf.net
yezuynbez.com
yupnyojrufl.com
zdarganpa.net


213.55.114.132

*.1.pillsrxmedsworld.com
*.babif.ru
*.bafah.ru
*.bafan.ru
*.bafar.ru
*.bafeb.ru
*.ceyzzaomob.com
*.didjiolus.com
*.goclefqummy.com
*.healthmedsguide.net
*.homemedsrx.net
*.icofbelli.com
*.iwgyovzeh.com
*.medicationshealthcapsules.ru
*.medsdirectdrugstore.net
*.noastoyaw.com
*.nrukixbya.com
*.pharmacyrxcontrolpills.net
*.pillprescriptionhealthworld.com
*.pillprescriptionmedications.com
*.pillreviewmedsdirect.com
*.pillsbargainworld.ru
*.pillsdiscounthealthmeds.net
*.pillsiterx.ru
*.prescriptionstoredrugstore.net
*.pricetabletsdirect.com
*.pyksabypvos.com
*.rxformeds.net
*.rxmedhealthsite.com
*.rxmedworld.ru
*.rxperfectmeds.ru
*.srabeytte.com
*.storetabletswellness.com
*.tabletscheappharmacyhealth.net
*.tvodzizy.com
*.wiquadry.com
*.wrikevba.com
*.yourhealthpill.net
*.yourpillspharmacymeds.net
0089.greattoretabletsstore.com
1.pillsrxmedsworld.com
admin.agynsoqud.com
admin.ahpezkut.com
admin.babef.ru
admin.babeg.ru
admin.babev.ru
admin.babif.ru
admin.babih.ru
admin.bafah.ru
admin.bafal.ru
admin.bafan.ru
admin.bafar.ru
admin.bafeb.ru
admin.buymedssite.net
admin.ceyzzaomob.com
admin.generic-pill-shop.com
admin.goclefqummy.com
admin.greattoretabletsstore.com
admin.healthmedsguide.net
admin.icofbelli.com
admin.iwgyovzeh.com
admin.izakolmux.com
admin.medicationshealthcapsules.ru
admin.medsdirectdrugstore.net
admin.noastoyaw.com
admin.ojsokytco.com
admin.overnightmedsrx.net
admin.pevbaehto.com
admin.pharmacyrxcontrolpills.net
admin.pillprescriptionmedications.com
admin.pillreviewmedsdirect.com
admin.pillsbargainworld.ru
admin.pillsdiscounthealthmeds.net
admin.pillsiterx.ru
admin.pillstabletsworld.ru
admin.pilltabletspills.com
admin.pillweightmedications.ru
admin.pillwellnesstablets.com
admin.prescriptionshoppharmacy.net
admin.prescriptionstoredrugstore.net
admin.pricetabletsdirect.com
admin.rxmedhealthsite.com
admin.rxmedworld.ru
admin.rxtabletspillsweight.net
admin.tabletsdrugstoreguide.com
admin.tabletspillscheap.com
admin.tmunjiowoj.net
admin.wiquadry.com
admin.worldhealthpharmacy.com
admin.yourhealthpill.net
admin.yourpillspharmacymeds.net
admin.yourqualityhealth.com
aquteriox.com
babew.ru
bafah.ru
bafar.ru
bafeb.ru
ceyzzaomob.com
didjiolus.com
goclefqummy.com
homemedsrx.net
icofbelli.com
k1jpigvcwmr.igvelmenc.com
lapidaryplus.com
mail.babef.ru
mail.babeg.ru
mail.babev.ru
mail.babif.ru
mail.babih.ru
mail.bafah.ru
mail.bafal.ru
mail.bafan.ru
mail.bafar.ru
mail.bafeb.ru
mail.bliquolyst.com
mail.buymedssite.net
mail.canadahealthstore.com
mail.ceyzzaomob.com
mail.discounthivmeds.com
mail.drugmegamart.net
mail.generic-pill-shop.com
mail.goclefqummy.com
mail.greattabletshealthrx.net
mail.greattoretabletsstore.com
mail.healthmedsguide.net
mail.icofbelli.com
mail.igvelmenc.com
mail.iwgyovzeh.com
mail.izakolmux.com
mail.medicationshealthcapsules.ru
mail.noastoyaw.com
mail.ojsokytco.com
mail.overnightmedsrx.net
mail.pevbaehto.com
mail.pharmacyrxcontrolpills.net
mail.pillreviewmedsdirect.com
mail.pillsbargainworld.ru
mail.pillsdiscounthealthmeds.net
mail.pillsiterx.ru
mail.pillstabletsworld.ru
mail.pilltabletspills.com
mail.pillweightmedications.ru
mail.prescriptionshoppharmacy.net
mail.prescriptionstoredrugstore.net
mail.ripcapsules.com
mail.rxformeds.net
mail.rxmedhealthsite.com
mail.rxmedworld.ru
mail.rxtabletspillsweight.net
mail.srabeytte.com
mail.storetabletswellness.com
mail.tvodzizy.com
mail.yourhealthpill.net
mail.yourpillspharmacymeds.net
mail.yourqualityhealth.com
medsdirectdrugstore.net
noastoyaw.com
nopwyrty.com
ns1.agynsoqud.com
ns1.bliquolyst.com
ns1.ceyzzaomob.com
ns1.goclefqummy.com
ns1.icofbelli.com
ns1.igvelmenc.com
ns1.iwgyovzeh.com
ns1.izakolmux.com
ns1.noastoyaw.com
ns1.ojsokytco.com
ns1.teglurug.com
ns1.tmunjiowoj.net
ns1.wiquadry.com
ns2.ceyzzaomob.com
ns2.generic-pill-shop.com
ns2.goclefqummy.com
ns2.icofbelli.com
ns2.igvelmenc.com
ns2.iwgyovzeh.com
ns2.izakolmux.com
ns2.molefider.com
ns2.noastoyaw.com
ns2.nrukixbya.com
ns2.ojsokytco.com
ns2.pevbaehto.com
ns2.teglurug.com
ns2.tmunjiowoj.net
ns2.wiquadry.com
ns3.overnightmedsrx.net
pharmacyrxcontrolpills.net
pillprescriptionhealthworld.com
pillreviewmedsdirect.com
pillsbargainworld.ru
pillsdiscounthealthmeds.net
pillsiterx.ru
poffobwye.com
prescriptionmarketpills.com
prescriptionstoredrugstore.net
pyksabypvos.com
ra111o7pdtj.1.pillsrxmedsworld.com
ripcapsules.com
rxformeds.net
rxhealthmedicines.com
rxmedhealthsite.com
rxmedworld.ru
rxtabletspillsweight.net
srabeytte.com
storetabletswellness.com
tabletsbargaindrugstore.com
tabletscheappharmacyhealth.net
tabletspillscheap.com
thyucylbyb.com
tvodzizy.com
ugsyjyzh.com
vadihenop.com
wrikevba.com
www.pillreviewmedsdirect.com
www.pilltabletspills.com
www.rxformeds.net
www.yourqualityhealth.com
xuhnaefhag.com
yourhealthpill.net


121.37.60.178

businessreport20cnbc.com
businessweek20.com
channel20newsnow.com
channel6information.com
channel9paper.com
cnb20cnews.com
cnbc20bizonline.com
cnbc20onlinenews.com
cnbcdigitalnews20.com
cnbcfinancereport.com
cnbcfinancialreport.com
cnbclocal20online.com
firstbusinessreportonline.com
news20onlinereport.com
ns1.vanilla20media.biz
onlinecnbcnews20.com
onlinenews6report.com
www.businessweek20.com


88.255.78.111

*.aafya.ru
*.ahormalsi.com
*.dgfj.ru
*.drugmegastore.com
*.drugtorepharmacyrxsite.com
*.elitewellnessstore.net
*.enlargementpillhealthrx.net
*.femalerxtabletsfitness.com
*.fsszo.ru
*.greattoretabletsstore.com
*.guhqulamri.com
*.healthsleepingpillsrx.net
*.healthwellnessawareness.net
admin.dgfj.ru
admin.drugtorepharmacyrxsite.com
admin.dryxqudeqe.com
admin.enlargementpillhealthrx.net
admin.femalerxtabletsfitness.com
admin.fsszo.ru
admin.fydrerfim.com
admin.healthsleepingpillsrx.net
admin.icktm.ru
admin.iirdt.ru
admin.jwrwl.ru
agerdexo.com
ahormalsi.com
ahpezkut.com
capsuletabletsrx.com
drugdiscountmart.net
drugtorepharmacyrxsite.com
elitewellnessstore.net
enlargementpillhealthrx.net
equlhawa.com
evipluoj.com
fsszo.ru
getrxguide.net
greattoretabletsstore.com
guhqulamri.com
healthsleepingpillsrx.net
healthwellnessawareness.net
icktm.ru
jwrwl.ru
mail.aaewb.ru
mail.aafya.ru
mail.dgfj.ru
mail.drugtorepharmacyrxsite.com
mail.elitewellnessstore.net
mail.evipluoj.com
mail.femalerxtabletsfitness.com
mail.fsszo.ru
mail.fydrerfim.com
mail.icktm.ru
mail.jwrwl.ru
nerrywdilse.com
nijheyxmu.com
nruddiagzev.com
ns1.fydrerfim.com
ns2.fydrerfim.com
nuwrafta.com


88.255.78.112

*.aaewb.ru
*.advancedhealthpharmacy.com
*.aivxg.ru
*.ajwcd.ru
*.babef.ru
*.bafad.ru
*.bafal.ru
*.biopharmdrugs.ru
*.bopgukdeqwu.com
*.clubvyjdum.com
*.cumvicaxvo.com
*.discountmedsdrugstorehealth.net
*.dryxqudeqe.com
*.ehpehtyatt.com
*.evipluoj.com
*.freerxdrug.com
*.icktm.ru
*.iirdt.ru
*.jukibaxen.com
*.jwrwl.ru
*.nerrywdilse.com
*.nijheyxmu.com
*.nruddiagzev.com
*.nuwrafta.com
1181.greattoretabletsstore.com
aaewb.ru
aafya.ru
admin.aaewb.ru
admin.aafya.ru
admin.aivxg.ru
admin.ajwcd.ru
admin.bafad.ru
admin.biopharmdrugs.ru
admin.bopgukdeqwu.com
admin.clubvyjdum.com
admin.cumvicaxvo.com
admin.discountmedsdrugstorehealth.net
admin.drugmegastore.com
admin.ehpehtyatt.com
admin.elitewellnessstore.net
admin.nerrywdilse.com
admin.nijheyxmu.com
admin.nuwrafta.com
advancedhealthpharmacy.com
aivxg.ru
ajwcd.ru
babef.ru
babev.ru
babif.ru
bafad.ru
bafal.ru
bafan.ru
biopharmdrugs.ru
bopgukdeqwu.com
clubvyjdum.com
cumvicaxvo.com
dgfj.ru
discountmedsdrugstorehealth.net
drugmegastore.com
dryxqudeqe.com
ehpehtyatt.com
femalerxtabletsfitness.com
ff3rrffaic2i.dryxqudeqe.com
freerxdrug.com
fydrerfim.com
gwmgi.ru
iirdt.ru
iwiqubcauha.com
jukibaxen.com
mail.aivxg.ru
mail.ajwcd.ru
mail.bafad.ru
mail.biopharmdrugs.ru
mail.bopgukdeqwu.com
mail.clubvyjdum.com
mail.discountmedsdrugstorehealth.net
mail.drugmegastore.com
mail.dryxqudeqe.com
mail.ehpehtyatt.com
mail.healthsleepingpillsrx.net
mail.iirdt.ru
mail.nijheyxmu.com
mail.nruddiagzev.com
mail.nuwrafta.com
ns1.dryxqudeqe.com
ns1.ehpehtyatt.com
ns1.nerrywdilse.com
ns1.nijheyxmu.com
ns1.nruddiagzev.com
ns1.nuwrafta.com
ns2.bopgukdeqwu.com
ns2.clubvyjdum.com
ns2.dryxqudeqe.com
ns2.ehpehtyatt.com
ns2.evipluoj.com
ns2.nerrywdilse.com
ns2.nijheyxmu.com
ns2.nruddiagzev.com
www.babif.ru
www.bafal.ru
www.dgfj.ru
www.egfj.ru


116.255.148.216

*.apemedic.ru
*.ardmedic.com
*.at.discount.on.pfizer.clemedic.ru
*.clemedic.ru
*.dadmedic.com
*.discount.on.pfizer.apemedic.ru
*.discount.on.pfizer.clemedic.ru
*.dispdns.com
*.dmedicth.ru
*.fedmedic.com
*.for.mail.from.pfizer.dadmedic.com
*.from.pfizer.dadmedic.com
*.mail.from.pfizer.dadmedic.com
*.medicinemp.com
*.on.pfizer.apemedic.ru
*.on.pfizer.clemedic.ru
*.pfizer.apemedic.ru
*.pfizer.clemedic.ru
*.pfizer.dadmedic.com
*.scoudoctor.ru
*.xcaldoctor.ru
admedlab.ru
apemedic.ru
ardmedic.com
at.discount.on.pfizer.clemedic.ru
clemedic.ru
cyqacyhiuy5249.at.discount.on.pfizer.clemedic.ru
dadmedic.com
discount.for.mail.from.pfizer.dadmedic.com
discount.on.pfizer.apemedic.ru
discount.on.pfizer.clemedic.ru
dispdns.com
dmedicth.ru
doctoroe.com
fedmedic.com
for.mail.from.pfizer.dadmedic.com
from.pfizer.dadmedic.com
hshingo.discount.on.pfizer.apemedic.ru
kazedoctor.com
mail.from.pfizer.dadmedic.com
mediceg.com
medicnnin.com
medicsg1.com
medicte.ru
ns1.apemedic.ru
ns1.ardmedic.com
ns1.clemedic.ru
ns1.dadmedic.com
ns1.dispdns.com
ns1.dmedicth.ru
ns1.fedmedic.com
ns1.scoudoctor.ru
ns1.xcaldoctor.ru
on.pfizer.apemedic.ru
on.pfizer.clemedic.ru
pfizer.apemedic.ru
pfizer.clemedic.ru
pfizer.dadmedic.com
root.apemedic.ru
root.ardmedic.com
root.clemedic.ru
root.dadmedic.com
root.dmedicth.ru
root.fedmedic.com
root.scoudoctor.ru
root.xcaldoctor.ru
scoudoctor.ru
shedoctor.com
tools.logo.la
xcaldoctor.ru


143.248.175.159

*.manipreka.com
*.nessixfewu.com
*.pillsfitnessdrugstorechain.com
*.presciptionpharmacygraduates.com
*.rafpk.ru
*.vecabnaip.com
*.vgafruflo.com
*.vjestolquow.com
*.yusbekka.com
admin.manipreka.com
admin.nessixfewu.com
admin.pillsfitnessdrugstorechain.com
admin.presciptionhealthconcernsmedications.com
admin.presciptionpharmacygraduates.com
admin.rafpk.ru
admin.vjestolquow.com
admin.yusbekka.com
hbw19882.kaist.ac.kr
mail.manipreka.com
mail.nessixfewu.com
mail.pillsfitnessdrugstorechain.com
mail.presciptionpharmacygraduates.com
mail.rafpk.ru
mail.thetabletsmedspills.net
mail.vecabnaip.com
mail.vjestolquow.com
nessixfewu.com
ns1.manipreka.com
ns1.nessixfewu.com
ns1.vecabnaip.com
ns1.vgafruflo.com
ns1.vjestolquow.com
ns2.manipreka.com
ns2.nessixfewu.com
ns2.vecabnaip.com
ns2.vjestolquow.com
ollozeff.com
pillsfitnessdrugstorechain.com
presciptionpharmacygraduates.com
vamej.ru
vjestolquow.com
www.xqkjv.ru
yusbekka.com


tools: robtex.com

Installation Protection Mechanisms of Phoenix Exploit's Kit - Websense

Another good research from WebSense and I wanna share it here.

Resource from: websense.com

As part of my research within Websense Security Labs, I collaborate with a group of researchers tasked with profiling exploit kits. This helps us refine the analytics used in ACE, our Advanced Classification Engine. In this post I want to cover the installation of Phoenix Exploit's Kit. I'm not going to tell you how to install and use it, but I will cover some of the more interesting aspects of installation. Specifically, I want to cover how the developers protect their code from being reverse engineered and how the developers have attempted to keep researchers from poking around in installed kits.

To begin, let's have a look at the installer for the kit. Like many exploit kits, this one is PHP-based but unlike most kits, the installer is actually obfuscated. This is probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no 'readme.txt' file included in a kit. Typically, exploit kits come with some sort of installation and or revision documents which come in the form of a 'readme.txt' file or 'notes.txt'. Without the readme file, it can be difficult to install a kit unless you reverse engineer the installation process. Most of the time, the reverse engineering of kit installation is pretty easy because the PHP code is not obfuscated.

Here is a look at the obfuscated code in the PHP installer:

Looking at this code, we can see that it's Base64 encoded and a ZLIB compressed stream of data. The PHP script uses an 'eval' statement with 'gzuncompress' and 'base_64decode' functions to decode the stream of data. For us to get the clear text code, we can use a simple substitution trick along with the PHP CLI so that we can then analyze the installer's code. To do this, we simply need to replace the 'eval' with a 'print' and run the install.php script on the command line.

Here is a snippet of the deobfuscated install.php script:

Looking at this code, if you're like me, you might think that the interesting thing about it is the variable declarations with long base64 encoded streams. It actually turns out that each one of those variables is holding obfuscated PHP code for the page for which the variable is named. For example the '$config' variable holds the base64 encoded 'config.php' file and the '$activate' variable holds the 'activate.php' code, which we will get to in a bit. This is where things get interesting, as far as protection mechanisms go. The reason that the PHP code for each of these scripts is held in a variable is because the page names actually get randomized for each installation! This helps to prevent security researchers from easily finding and possibly viewing statistics about the site hosting a Phoenix Exploit's Kit. Prior to the version being analyzed here, Phoenix came with standard page names so once the exploit page was found, it was easy to find the statistics page and try to break in to view stats from that particular installation.

Here is what the install looks like when it's visited from the browser:

As you can see, when viewing the installer from the browser, there is really nothing special about it. You get to choose the language of the installation instructions, either English or Russian. And on the next page you have a form to fill out for various resources. I'm not going to show you this form for the reason that it contains sensitive information. However, I will show you the result after filling out the form so that you can see the randomized page names and what has to be done to activate the kit.

This is a look at my current working directory before the install of Phoenix Exploit's Kit:

Here is the same directory after the completion of the install script:

As you can see, the install script contains just about everything needed to install the kit. It extracts the necessary scripts and randomizes the file names, and thus the purpose of the file. If you have a look at the code in each file, you can begin to figure out the purpose of each file. The thing to notice and realize from here is that each installation creates unique names for each of the pages. Again, what this means is that a researcher can't find statistics for an installed kit after finding the page serving up the exploits. Rather, for any given kit installed in the wild, it's anybody's guess as to the names used for statistics and other pages used by that kit!

Regarding the installation we've been examining, at this point the kit isn't at all usable because it doesn't yet contain the exploits. To obtain the exploits, the purchaser of the kit must contact the developer to activate their kit. The "installation success" page explains this: "To activate this installed copy of Phoenix Exploits Kit please send the following activation string to the author."

Here is a screen shot of the installation success page:

In summary, we can see that the developers of Phoenix Exploit's Kit are working on not only protecting their exploit code from being recognized, but also their installations. This makes it difficult for researchers to further dissect and understand how the kit works, especially if a researcher comes across just the install script. It also makes things more difficult for others who want to study and report on the statistics found from individual installations of Phoenix by randomizing the page names used in the kit installations.

Resource from: websense.com

Thursday, December 23, 2010

CVE-2010-3971 - Microsoft IE CSS 0-Day Vulnerability

Few days before Christmas, Microsoft Internet Explorer browser CSS Zero-Day vulnerability disclosed in wild (CVE-2010-397). The flaw can affects IE 6, IE 7 and IE 8. Currently this PoC exploit available in Metasploit , and expect flaw attack code will be massively linked to large scale malicious websites during Christmas until end of the year 2010.

According to Security Focus, successfully exploiting this issue may allow attackers to execute arbitrary code in the context of the application. Failed exploit attempts will result in denial-of-service conditions.

User once to visit the those crafted malicious website, the system has been downloaded a lot of the latest Trojan virus, which caused leakage of privacy, online banking, online account password is lost.

This issue is caused by a use-after-free error within the "mshtml.dll" library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various "@import" rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.





Security Focus

wooyun

Vupen

Although there have workaround tool to you to enforce named applications to perform ASLR on every DLL they load, but who will aware about this tool and use it especially for home users?

Wednesday, December 22, 2010

Social Spam Q&A - From F-Secure

Original Reference: Social Spam from F-Secure

Q: What is "social spam"?
A: Social spam is spam that uses social networking, media and news related websites to spread links.

Q: Links? You mean stuff like those links I see on Facebook saying something like "OMG! Father catches his daughter on webcam"?
A: Yes. Those links.

Q: And just how does spreading salacious links payoff for the social spammer?
A: First, let's discuss how e-mail spam works.

Q: Well… alright then, what about e-mail spam?
A: E-mail spam is similar to real world junk/bulk mail, the stuff that clogs up your mailbox at home. A product owner wants promotion, so he hires somebody to distribute advertising. The bulk mailer (spammer) offers prices/rates based on the number of ads to be distributed.

Q: Sounds rather straightforward. So how does an e-mail spammer get paid?
A: Could be a number of ways, but generally, you'll pay upfront for X amount of messages distributed. E-mail spammers compete with one another by attempting to offer better services. They also try to guarantee that their address lists are validated (live) accounts and thus a better quality than the other guys.

Q: So e-mail spam is a traditional product owner to advertiser relationship?
A: Right. The product owner wants advertising, so he pays an advertiser. The ad (spam) is sent to your Inbox and your antispam software filters the spam to a junk folder.

Q: Let's get back to social spam. How does spamming a link payoff for the spammer? There's no "advertising message" embedded in the link… it's just some tabloid style headline. Does the link open to an ad page?
A: No. (That's comment spam.) The social spam link is only the first step in the social spam process. And the greater the number of links spread, the greater the potential payoff for the spammer.

Q: What's the second step in the process?
A: Spreading the spam link.

Q: And how is that done?
A: By abusing the "social" nature of the website. So on Facebook for example, if you click a spam link, you'll be directed to a page that wants you to either like or allow.

Q: Like or allow?
A: Right. If the link takes you to a Facebook application (hosted by facebook.com) you'll have to allow the application access to your profile. If you do, the application will post its link to your profile, and thus share it with your friends.

Q: If it isn't an application?
A: If the link takes you to a "Page" (either on or offsite) you'll be requested to "Like" and "Share" the page to your profile. Spammers will use a various tricks to get you to like and share.

Q: What kind of tricks?
A: Clear click clickjacking attacks. Pages attempt to use invisible frames to get people to click on a "like button" without even realizing it.

Q: So liking and sharing the page spreads the links… you do the spammers work for them?
A: Right.

Q: But if it is an application instead of a page, you have to allow it access?
A: Correct. And Facebook does provide a clear warning beforehand.

Q: How about other websites?
A: Twitter applications also warn the user before they add an application. Twitter switched to OAuth at the end of August 2010 so that your password is no longer shared with third party applications.

Q: So applications can be controlled and/or limited, but external pages that mimic the social site, can they be prevented?
A: That's a challenge. Social sites are designed to share. That's why they're social. Far greater amounts of legitimate pages are liked/shared and tweeted every day. The only way to really prevent a spam page from being shared is to block all sharing or of course, to remove the page from the site.

Q: So what is done?
A: Filtering. Social sites rely on their communities to report spam. Both Twitter and Facebook have "report as spam" options. And they have antispam technologies on the back-end.

Q: Step 2 is spreading… why does that process sound kind of familiar?
A: Because it is similar to an e-mail worm.

Q: What? An e-mail worm?
A: Yeah. E-mail spam includes its advertising in the body of the message or in an attachment. E-mail worms are a bit different. They used to attach a binary payload to a message, but antivirus companies long ago learned to filter such attachments.

Q: And?
A: And so these days, because malicious attachments are filtered, e-mail worms use links as bait. Recipients click on the link within the message and are taken to a webpage offering a malicious payload. And part of that payload's mission may include stealing your e-mail contacts so they'll be exposed to the threat as well.

Q: So social spammers didn't invent this process?
A: No, far from it. This whole process of link baiting has evolved from e-mail.

Q: So social spam is spread via "link worms"?
A: Yeah, that's kind of the general idea…

Q: Okay. Step 1 and 2 spreads like an e-mail worm, but the goal is more similar to e-mail spam. What's step 3? Do you get to see the father/daughter webcam video?
A: That depends on whether step 2 was an application or a page (still using Facebook as our example).

Q: What if step 2 allowed an application?
A: Then spam application often provides the video (or whatever else) in return for harvesting your information.

Q: What kind of information?
A: That depends on what you allowed. It could be anything from basic public details to allowing the application to e-mail you, to managing your Facebook Pages. (Twitter applications will cause your account to follow others and to re-tweet their links.)

Q: Then what?
A: And then the social spammer has information that can be turned into a commodity for sale. Remember up above…

Q: That e-mail spammers compete with each other by offering better services and validated lists?
A: Right. What better way to create a validated list than a social networking site such as Facebook? Not only will you have live e-mail addresses, but the associated age, sex, gender, likes and interests. After all, there's very little point in sending Viagra spam to a 25 year old woman…

Q: That's sounds like an excellent commodity. What else can be done with the information?
A: Worst case scenario: it could be used for identity theft or blackmail.

Q: Is that likely?
A: It's possible, but probably not likely. From what we've read in spammer forums, these guys are more about making a quick buck pushing ads.

Q: Okay, so back to step 2 again… What if step 2 was a page, then what?
A: This part is a bit complicated.

Q: It is?
A: Yes. If the social spam links to a page, the page is typically utilizing some sort of Cost Per Action affiliate marketing network.

Q: What is a Cost Per Action affiliate marketing network?
A: First, let's discuss affiliate marketing… This is from Wikipedia's entry: Affiliate marketing is a marketing practice in which a business rewards one or more affiliates for each visitor or customer brought about by the affiliate's own marketing efforts.

Q: So affiliates don't get paid upfront to advertise?
A: Right. Affiliates aren't selling bulk advertising. But instead, they're driving traffic towards the product owner. And the more traffic that they can drive towards the product, the more they can earn. Product owners like this method of marketing as they don't have to commit to funds upfront before results are produced.

Q: And affiliate marketing models are used by spammers?
A: Yes. Unfortunately, affiliate marketing is easily abused by spammers.

Q: So why is it legal?
A: Because there are many legitimate ways to run affiliate marketing. Let's take Groupon (groupon.com) as an example. If a certain number of people sign up for a Groupon offer, the deal becomes available to all; if the predetermined minimum is not met, then no one gets the deal that day. Groupon users are acting as a kind of affiliate. If they do the marketing work and share the offer among their peers, and enough people sign up, the company authorizes the deal.

Q: So it is quite difficult to legislate good from bad affiliate marketing?
A: Yes.

Q: Okay, so social spammers utilize a form of affiliate marketing. What are Cost Per Action affiliate networks?
A: An affiliate marketing network is kind of like a "super affiliate". Affiliate marketers earn a progressive percentage of payout based on the volume of leads produced. One individual typically cannot produce enough volume to reach a higher percentage tier. Affiliate marketing networks allow individuals to act as a collective affiliate, producing higher volumes, which passes the higher payouts down to the network members.

Q: And Cost Per Action (CPA)?
A: CPA is typically about acquiring something from potential leads.

Q: So what happens during step 3 after a page is liked and shared?
A: The spammer promises to show the video (or whatever) after a small "anti-bot" test (action) has been performed. They claim it is a form of CAPTCHA, or verification that you’re human.

Q: And this is when the spammer gets what he wants?
A: Yes. At this point a JavaScript form opens and "special offers" are given to proof that the person is human.

Q: What kind of special offers?
A: It could be something as simple as downloading a search toolbar for your browser or providing a valid e-mail address to receive a coupon. Or… it might be something as manipulative as getting you to sign up for expensive SMS-based subscription services.

Q: And is this when the spammer makes money?
A: Yes. For each person that completes an action, and offers the product owner a "lead", the affiliate/spammer can earn one dollar or more.

Q: One dollar or more? That's good money.
A: Yes. It takes very little effort to earn good money.

Q: So is all of this considered a scam?
A: Scam is a rather strong word.

Q: But there are some security vendors that call this stuff a scam. You don't think so?
A: Scam is a strong word to use… A scam is something such as an Advance Fee Fraud, i.e. "You have just won the UK lottery! Contact LottoUK at blah blah blah dot com."

Q: So what is this CPA spam stuff then?
A: It falls under the category of deceptive marketing.

Q: So why do some folks keep blogging about Facebook Scams? Is it hype?
A: You'll have to ask them.

Q: Well then, if it is deceptive marketing… what can be done about it?
A: Government regulators should get involved. Example: In Finland, a case of localized (Finnish language) Facebook spam was resolved by the Finnish Consumer Protection Agency. F-Secure provided details to the press, and either the press, and/or victims reported the SMS subscription vendor as being deceptive. The local company which provided the billing services for the SMS vendor reversed all charges associated with that spam run. (There hasn't been a second attempt.)

Q: What about the United States? Is there a way to fight deceptive affiliate marketing spam in the United States?
A: It's been done before. In 2006, Zango, an adware vendor (Hotbar) faced an FTC investigation that essentially put them out of business. A public advocacy group filed two official complaints charging Zango with engaging in unfair and deceptive business practices.

Q: So who are the companies that the FTC should probably look at in 2011?
A: The list includes CPAlead (cpalead.com), PeerFly (peerfly.com), and Adscend Media (adscendmedia.com) among others.

Q: What about the recent lawsuits that Facebook brought against three spammers.
A: Actually, one of those three lawsuits is focused on Jason Swan, the CTO of CPAlead. The CAN-SPAM act is being cited in the lawsuits and all three examples include cases in which fake or fraudulent services were offered. "Facebook Gold" accounts for example. There are no such thing, and so Facebook claims the defendants are guilty under the CAN-SPAM.

Q: But doesn't most social spam eventually open the promised video (or whatever)?
A: Yes. It's mostly just recycled content from YouTube but if all 3 steps are completed, the links delivers on its promise. So these three cases are interesting, but it seems more like a warning to spammers than a solution. We aren't sure if the CAN-SPAM act applies (but it's worth bringing before a judge).

Q: So summarize it again, what are the steps involved with social spam?
A: First the victim clicks on a link. Second, they like/share or allow the application or page. Third, they complete the Cost Per Action offer. And then they are "rewarded" with old content that they could have located on YouTube (or elsewhere) themselves.

Q: How effective is social spam.
A: Very good question. In 2009, social spam was generated by hacked/phished accounts. During 2010, other methods were developed by spammers to seed spam links. By the summer of 2010, spam links were generating hundreds of thousands of clicks.

Q: Do social spam links still get clicked?
A: Click rates have dropped as people become familiar with the process. There is an ever increasing decline in the effectiveness of any single link. However, the click rates and payouts are considerably higher for social spammers than e-mail spam.

Q: Will social spam ever be as big a problem as e-mail spam?
A: E-mail spam does not require interaction. Spammers can simply pump as much of it as possible in their attempts to bypass spam filters.

Social spam typically requires human interaction (except for occasional site vulnerabilities). Because social spam is interactive, there is something that can be done. Facebook and Twitter are constantly redesigning their UI to improve the user experience and to help their communities recognize and avoid spam. And because social media sites are constantly evolving, the nature of social spam is also evolving.

Social spam will probably always exist, taking advantage of one site feature or another, but it isn't as likely to abuse the system so completely as e-mail spam has. The only way to fix e-mail spam is to fix e-mail protocols. Facebook and Twitter spam can be addressed by the sites as needed.

Q: Finally, are there other types of spam being pushed via social media sites?
A: Yes. Fake profile spam pushing adult dating sites and services… but that's another Q&A. We'll get back to that once we're done sorting through all the images (somebody's got to do it).


Original Reference: Social Spam from F-Secure

Spam -- Google URL Shortener & Web Reputation Safety failed

When I first approached with Web Safety and Rating from third party plugin or add-on in email especially Gmail, Yahoo and Hotmail. I am very happy and enjoy with that features while can keep filtering URL links that embedded for incoming emails.

How about if the incoming email it's from your friend with email content embedded using Google URL Shortener link plus WOT safety rating? Are you going to click on it without hesitate? Most probably users answer will come with "YES"!

Below is the screenshot example for this cases.


Spam Link:

goo.gl/F1JqN - redirecting to nbtoday14.info/


and others.


67.228.136.62

bestmoviestrailer.com
nbtoday14.info

91.198.247.25

*.whome-inc-online.ru
2010-money-revolution.net
7hotnews.net
became-megarich-athome.net
brandnew-home-biz.net
hostmaster.whome-inc-online.ru
mail.whome-inc-online.ru
money-revolution-online.net
new-kind-ofhomebiz.net
newbran-home-income.net
news-onlineincome.net
ns1.whome-inc-online.ru
ns2.whome-inc-online.ru
onlinebusiness-news.net
rich-chance.net
seven-7-news.net
seven-business-news.net
whome-inc-online.ru
you-can-became-rich.net

91.198.247.26

business-7-news.net
www.business-7-news.net

91.198.247.27

*.7dailynewsincl.ru
*.news7business-channel.net
7dailynewsincl.ru
business7-dailynews.net
daily7-business.net
hostmaster.7dailynewsincl.ru
hostmaster.news7business-channel.net
mail.7dailynewsincl.ru
mail.news7business-channel.net
news7business-channel.net
news8business-channel.net
ns1.7dailynewsincl.ru
ns1.news7business-channel.net
ns2.7dailynewsincl.ru
ns2.news7business-channel.net

188.229.95.45

bigstrong-penis.com
twoapenny.ru


188.229.95.46

*.blogslims.com
*.free-bottles.com
*.sunnyresort.ru
blogslims.com
expertdeal.ru
free-bottles.com
mail.blogslims.com
mail.free-bottles.com
root.blogslims.com
root.free-bottles.com
slimsblogs.com
sunnyresort.ru
www.blogslims.com
www.free-bottles.com

It will be great if Google URL shortener can filter out those spam link.

Monday, December 20, 2010

Google Safe Browsing Block Malaysiakini.com

Reader sent me email today informed that Malaysia popular political news website was compromised and contain link to "expa52.co.cc".


Malaysiakini is a political news website published in English, Malay, Chinese and Tamil. Since its launch on November 20, 1999, it has been widely considered to be one of the leading non-government owned paid-news agencies in Malaysia. Compete.com estimates that Malaysiakini now attracts over 10,000 unique visitors in May 2009.[1] Alexa ranked malaysiakini.com as the 16th most popular web site in Malaysia (ahead of Star) in 2008.[2]

Unlike most news sources in Malaysia, Malaysiakini remains free from government regulation and thus widely considered to be the country's only credible, independent voice. Malaysiakini has gained both praise and notoriety by regularly covering subjects and viewpoints deemed taboo by the mainstream broadcast and print media; the fact that it is still allowed to operate is partly due to the Malaysian government's tolerance regarding internet censorship. The Malaysian government had pledged there would be no control and censorship of Internet content in line with efforts to create the Multimedia Super Corridor.


Google Safe Browsing block it and details can be obtained from link below.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.malaysiakini.com/




69.50.221.196

dheslhy.co.cc
djdheth.co.cc
djheshe.co.cc
dkazshe.co.cc
dkzathe.co.cc
hezhelh.co.cc
hezhthu.co.cc
hezlhez.co.cc
hhehshe.co.cc
hhethez.co.cc
hheuhez.co.cc
hhezhet.co.cc
hhs75he.co.cc
hhshezh.co.cc
hthehhe.co.cc
hthexhe.co.cc
hthhela.co.cc
hthheza.co.cc
htj2091.co.cc
htthhez.co.cc
hudheah.co.cc
hudhehh.co.cc
hutahez.co.cc
huzuhez.co.cc
mail.dhekshe.co.cc
mail.dheslhy.co.cc
mail.djdheth.co.cc
mail.djheshe.co.cc
mail.dkazshe.co.cc
mail.dkzathe.co.cc
mail.hezhelh.co.cc
mail.hezhthu.co.cc
mail.hhehshe.co.cc
mail.hhethez.co.cc
mail.hheuhez.co.cc
mail.hhezhet.co.cc
mail.hhs75he.co.cc
mail.hhshezh.co.cc
mail.hthehhe.co.cc
mail.hthexhe.co.cc
mail.hthez18.co.cc
mail.hthhela.co.cc
mail.hthheza.co.cc
mail.htj2091.co.cc
mail.htthhez.co.cc
mail.hudheah.co.cc
mail.hudhehh.co.cc
mail.hutahez.co.cc
mail.huzuhez.co.cc
www.hezhelh.co.cc
www.hhethez.co.cc
www.hheuhez.co.cc
www.hhs75he.co.cc
www.hthehhe.co.cc
www.hthexhe.co.cc
www.hthheza.co.cc
www.htthhez.co.cc
www.hudhehh.co.cc
www.hutahez.co.cc
www.huzuhez.co.cc


69.50.221.197

expa29.co.cc
expa41.co.cc
expa43.co.cc
expa50.co.cc
expa58.co.cc


Network Whois record
Queried whois.arin.net with "n 69.50.221.197"...

NetRange: 69.50.192.0 - 69.50.223.255
CIDR: 69.50.192.0/19
OriginAS:
NetName: ATJEU
NetHandle: NET-69-50-192-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ATJEU.COM
NameServer: NS2.ATJEU.COM
RegDate: 2003-06-04
Updated: 2010-07-27
Ref: http://whois.arin.net/rest/net/NET-69-50-192-0-1

OrgName: atjeu publishing, llc
OrgId: APL-37
Address: 1515 West Deer Valley Road
Address: C-103
City: Phoenix
StateProv: AZ
PostalCode: 85027
Country: US
RegDate: 2002-09-10
Updated: 2009-11-30
Ref: http://whois.arin.net/rest/org/APL-37

OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail: sales@atjeu.com
OrgTechRef: http://whois.arin.net/rest/poc/BV137-ARIN


Reference:

http://centralops.net/co/
http://www.robtex.com/

Wednesday, December 15, 2010

Rouge AV, Spam & Suspicious link 16-Dec-10

193.23.126.20

*.unique-bill.com
84f6a4eef61784b33e4acbd32c8fdd72.com
aa0003.co.cc
aa0004.co.cc
aehelp.ru
hostmaster.unique-bill.com
mail.aehelp.ru
mail.reset-mail.org
mail.ru-ig419544039061293.ru
mail.yandex.ru-ig419544039061293.ru
miskovka.info
reset-mail.org
ru-ig419544039061293.ru
sec-new-updts.ru
systemdllsupd.ru
unique-bill.com
updtsforsoft.ru
www.aa0004.co.cc
xxxgallerybox.com


76.74.253.125

amesearch.info
aryahoo.info
cauyahoo.info
chesearch.info
degyahoo.info
nejaqe.info
robsearch.info
tylasa.info


91.217.249.55

adfagag1.co.cc
asafafaasg4.co.cc
ayaaizgeast0.co.cc
eeouyouiai4.co.cc
esdgsdg2.co.cc
fgsdfsdffg3.co.cc
gdfghsd4.co.cc
gdsdgsg3.co.cc
mail.adfagag1.co.cc
mail.asafafaasg4.co.cc
mail.ayaaizgeast0.co.cc
mail.eeouyouiai4.co.cc
mail.esdgsdg2.co.cc
mail.fgsdfsdffg3.co.cc
mail.gdfghsd4.co.cc
mail.gdsdgsg3.co.cc
mail.oooabterast0.co.cc
mail.utnykgst0.co.cc
mail.yjiuzxst0.co.cc
mail.yuzwovl4.co.cc
oooabterast0.co.cc
utnykgst0.co.cc
yjiuzxst0.co.cc
yuzwovl4.co.cc


85.17.124.147

online-alert-policy22.co.cc
online-alert-policy49.co.cc
online-alert-policy51.co.cc
online-alert-policy68.co.cc
online-alert-policy84.co.cc


194.1.220.142

*.fkpoqkzsgbqwd.com
*.ggqmfvntvcsjwljq.net
*.pgiitsgzfnkhnrrc.com
*.pltucnyhlvnprno.biz
*.pthkufjgghgibu.net
*.tafutxqvzkiqnsp.com
emxqugzksnkhhly.biz
eqztyjosjowwktn.net
fkpoqkzsgbqwd.com
fvfjyfihhyyprkeo.biz
ggqmfvntvcsjwljq.net
hpfkskupldfssqw.biz
ilninxolqxoulmod.com
jtxoqnrnyegeozc.org
kjzpppvxyvwxvlvk.org
lhsvslxhprphfts.org
lmosrtxpnooonrt.net
loubmtipoknpjkzu.com
mstwqorlqlwvfr.info
ngmsoggkrrriljrv.com
oqemughofzvfuonu.com
pgiitsgzfnkhnrrc.com
pltucnyhlvnprno.biz
pthkufjgghgibu.net
qtqrkymooqrpxn.org
root.fkpoqkzsgbqwd.com
root.ggqmfvntvcsjwljq.net
root.pgiitsgzfnkhnrrc.com
root.pltucnyhlvnprno.biz
root.pthkufjgghgibu.net
root.tafutxqvzkiqnsp.com
rotooswukdqbcpr.biz
rupsjiogorpszoy.org
vmhojqmlsmsup.com
xmlcdjrpfvorpgvx.com


72.52.146.60

*.pcdocpro.com
e2808bwww.pcdocpro.com
host.spyresearchcenter.com
ns1.spyresearchcenter.com
pcdocpro.com
spydocpro.com
spyresearchcenter.com
www.pcdocpro.com


69.50.209.170

easycounters.info
edzaxo.info
iwzox.info
loyeje5.co.cc

Microsoft Tuesday Patch - December 2010

Microsoft released ever huge patches before entering new 2011. Major Operating System vendor released with 17 bulletins with covering total to 40 vulnerabilities. One of the patch is related to Zero-Day vulnerability (Windows Task Scheduler) found in Stuxnet.

Summary for December releases can be obtained from here

MS10-090 - Cumulative Security Update for Internet Explorer (2416400)

This security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-091 - Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)

This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS10-092 - Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)

This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-093 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)

This security update resolves a publicly disclosed vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Movie Maker file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-094 - Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)

This security update resolves a publicly disclosed vulnerability in Windows Media Encoder. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Media Profile (.prx) file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-095 - Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file type such as .eml and .rss (Windows Live Mail) or .wpost (Microsoft Live Writer) located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-096 - Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)

This security update resolves a publicly disclosed vulnerability in Windows Address Book. The vulnerability could allow remote code execution if a user opens a Windows Address Book file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-097 - Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)

This security update resolves a publicly disclosed vulnerability in the Internet Connection Signup Wizard of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.

The vulnerability could allow remote code execution if a user opens an .ins or .isp file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-098 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)

This security update resolves one publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

MS10-099 - Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)

This security update addresses a privately reported vulnerability in the Routing and Remote Access NDProxy component of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-100 - Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)

This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-101 - Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)

This security update resolves a privately reported vulnerability in the Netlogon RPC Service on affected versions of Windows Server that are configured to serve as domain controllers. The vulnerability could allow denial of service if an attacker sends a specially crafted RPC packet to the Netlogon RPC Service interface on an affected system. An attacker requires administrator privileges on a machine that is joined to the same domain as the affected domain controller in order to exploit this vulnerability.

MS10-102 - Vulnerability in Hyper-V Could Allow Denial of Service (2345316)

This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-103 - Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)

This security update resolves five privately reported vulnerabilities in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-104 - Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)

This security update resolves a privately reported vulnerability in Microsoft SharePoint. The vulnerability could allow remote code execution in the security context of a guest user if an attacker sent a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007.

MS10-105 - Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)

This security update resolves seven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-106 - Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)


This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.


Monday, December 13, 2010

Spam & Suspicious link 12-Dec-10

193.178.172.25

biga.railwaystatistics.com
imply.secure-enviroment2.com

64.191.101.133

bigtelevideochanel.com
fajujohiv.cn
konusevoz.cn
ns1.argon.iphoster.ru
vexadewos.cn
vugucafay.cn

96.9.169.85

news.emailmkt.org
protectyourpc-11.com
server14.emailmkt.org
xibudific.cn

91.217.162.174

*.fyreport.com
*.lastreporteriche.com
*.raptopreport.com
*.repatoptop.com
*.reportaboutbosn.com
*.reportandwin.com
*.reporteriche.com
*.rereportport.com
admin.fyreport.com
admin.lastreporteriche.com
admin.raptopreport.com
admin.repatoptop.com
admin.reportaboutbosn.com
admin.reportandwin.com
admin.reporteriche.com
admin.rereportport.com
ns1.fyreport.com
ns1.lastreporteriche.com
ns1.raptopreport.com
ns1.repatoptop.com
ns1.reportaboutbosn.com
ns1.reportandwin.com
ns1.reporteriche.com
ns1.rereportport.com
ns2.fyreport.com
ns2.lastreporteriche.com
ns2.raptopreport.com
ns2.repatoptop.com
ns2.reportaboutbosn.com
ns2.reportandwin.com
ns2.reporteriche.com
ns2.rereportport.com

91.217.162.176

*.dsfsdgfbgsfd.com
admin.dsfsdgfbgsfd.com
dsfsdgfbgsfd.com
ns1.dsfsdgfbgsfd.com
ns2.dsfsdgfbgsfd.com

91.217.162.177

cherezzaborpereprig.com
mail.microsoftwindowssecurity181.com
mail.microsoftwindowssecurity182.com
microsoftwindowssecurity181.com
microsoftwindowssecurity182.com

93.174.93.218

ani-planet.net
animestigma.com
aurora19.constellationservers.net
aussiewarez.com
dbz-planet.net
freetop10tvshows.com
kirklandfacilities.com
mx1.cjserver3.com
pro-download.info
www.aussiewarez.com
www.dbz-planet.net
www.warez-town.info

Thursday, December 2, 2010

Identifying the country of origin for a malware PE executable

Update 11/29/10: Added a short discussion about non-malware executables also.

Have you ever wondered how people writing reports about malware can say where the malware was likely developed?

Sometimes you get totally lucky and log files created by the malware will help answer the question. Given the following line from a log:

11/16/2009 6:41:48 PM –> Hook instalate lsass.exe

We can use Google Translate’s “language detect” feature to help up determine the language used (click to enlarge):

Of course, it’s not often we get THAT lucky!

A more interesting method is the examination of certain structures known as the Resource Directory within the executable file itself. For the purpose of this post, I will not be describing the Resource Directory structure. It’s a complicated beast, making it a topic I will save for later posts that actually warrant and/or require a low-level understanding of it. Suffice it to say, the Resource Directory is where embedded resources like bitmaps (used in GUI graphics), file icons, etc. are stored. The structure is frequently compared to the layout of files on a file system, although I think it’s insulting to file systems to say such a thing. For those more graphically inclined, I took the following image from http://www.devsource.com/images/stories/PEFigure2.jpg. (Click to enlarge.)

For the sake of example, here’s some images showing you just a few of the resources embedded inside of notepad.exe: (using CFF Explorer from: http://www.ntcore.com/exsuite.php)

Now it’s important to note that an executable may have only a few or even zero resources – especially in the case of malware. Consider the following example showing a recent piece of malware with only a single resource called “BINARY.” (Click to enlarge.)

Moving on, let’s look at another piece of malware… Below, we see this piece of malware has five resource directories.

We could pick any of the five for this analysis, but I’ll pick RCData – mostly because it’s typically an interesting directory to examine when reverse engineering malware. (This is because RCData defines a raw data resource for an application. Raw data resources permit the inclusion of any binary data directly in the executable file.) Under RCData, we see three separate entries:

The first one to catch my eye is the one called IE_PLUGIN. I’ll show a screenshot of it below, but am saving the subject of executables embedded within executables for a MUCH more technical post in the near future (when it’s not 1:30 am and I actually feel like writing more!). ;-) (Click to enlarge.)

Going back to the entry structure itself, the IE_PLUGIN entry will have at least one Directory Entry underneath it to describe the size(s) and offset(s) to the data contained within that resource. I have expanded it as shown next:

And that’s where things get interesting – as it relates to answering the question at the start of this post anyways. Notice the ID: 1055. That’s our money shot for helping to determine what country this binary was compiled in. Or, more specifically, the default locale codepage of the computer used to compile this binary. Those ID’s have very legitimate uses, for example, you can have the same dialog in English, French and German localized forms. The system will choose the dialog to load based on the thread’s locale. However, when resources are added to the binary without explicitly setting them to different locale IDs, those resources will be assigned the default locale ID of the compiler’s computer.

So in the example above, what does 1055 mean?

It means this piece of malware likely was developed (or at least compiled in) Turkey.

How do we know that one resource wasn’t added with a custom ID? Because we see the same ID when looking at almost all the other resources in the file (anything with an ID of zero just means “use the default locale”):

In this case, we are also lucky enough to have other strings in the binary (once unpacked) to help solidify the assertion this binary is from Turkey. One such string is “Aktif Pencere,” which Google’s Translation detection engine shows as: (Click to enlarge.)

However, as you can see, this technique is very useful even when no strings are present – in logs or the binary itself.

So is this how the default binary locale identification works normally (eg: non-malware executable files)?

Not exactly. The above techniques are generally used with malware (if the malware even has exposed resources), but not generally with normal/legitimate binaries. Consider the following legitimate binary. What is the source locale for the following example?

As you see in the green box, we have some cursor resources with the ID for the United States. (I’m including a lookup table at the bottom of this post.) In the orange box, there are additional cursor resources with the ID for Germany. In the red box is RCData, like we examined before, but all of these resources have the ID specifying the default language of the computer executing the application.

As it turns out, the normal value to examine is the ID for the Version Information Table resource (in the blue box). In the case above, it’s the Czech Republic. The Version Information Table contains the “metadata” you normally see depicted in locations like this:

In the above screenshot, Windows is identifying the source/target local as English, and specifically, United States English (as opposed to UK English, Australian English, etc…). That information is not stored within the Version Information table, but rather is determined by the ID of the Version Information Table.

However, in malware, the Version Information table is almost always stripped or mangled, as is the case with our original example from earlier:

Because of that, the earlier techniques are more applicable to malware.

Below, I’m including a table to help you translate Resource Entry IDs to locales (sorted by decimal ID number).

Locale Language LCID Decimal Codepage
Arabic – Saudi Arabia ar ar-sa 1025 1256
Bulgarian bg bg 1026 1251
Catalan ca ca 1027 1252
Chinese – Taiwan zh zh-tw 1028
Czech cs cs 1029 1250
Danish da da 1030 1252
German – Germany de de-de 1031 1252
Greek el el 1032 1253
English – United States en en-us 1033 1252
Spanish – Spain (Traditional) es es-es 1034 1252
Finnish fi fi 1035 1252
French – France fr fr-fr 1036 1252
Hebrew he he 1037 1255
Hungarian hu hu 1038 1250
Icelandic is is 1039 1252
Italian – Italy it it-it 1040 1252
Japanese ja ja 1041
Korean ko ko 1042
Dutch – Netherlands nl nl-nl 1043 1252
Norwegian – Bokml nb no-no 1044 1252
Polish pl pl 1045 1250
Portuguese – Brazil pt pt-br 1046 1252
Raeto-Romance rm rm 1047
Romanian – Romania ro ro 1048 1250
Russian ru ru 1049 1251
Croatian hr hr 1050 1250
Slovak sk sk 1051 1250
Albanian sq sq 1052 1250
Swedish – Sweden sv sv-se 1053 1252
Thai th th 1054
Turkish tr tr 1055 1254
Urdu ur ur 1056 1256
Indonesian id id 1057 1252
Ukrainian uk uk 1058 1251
Belarusian be be 1059 1251
Slovenian sl sl 1060 1250
Estonian et et 1061 1257
Latvian lv lv 1062 1257
Lithuanian lt lt 1063 1257
Tajik tg tg 1064
Farsi – Persian fa fa 1065 1256
Vietnamese vi vi 1066 1258
Armenian hy hy 1067
Azeri – Latin az az-az 1068 1254
Basque eu eu 1069 1252
Sorbian sb sb 1070
FYRO Macedonia mk mk 1071 1251
Sesotho (Sutu) 1072
Tsonga ts ts 1073
Setsuana tn tn 1074
Venda 1075
Xhosa xh xh 1076
Zulu zu zu 1077
Afrikaans af af 1078 1252
Georgian ka 1079
Faroese fo fo 1080 1252
Hindi hi hi 1081
Maltese mt mt 1082
Sami Lappish 1083
Gaelic – Scotland gd gd 1084
Yiddish yi yi 1085
Malay – Malaysia ms ms-my 1086 1252
Kazakh kk kk 1087 1251
Kyrgyz – Cyrillic 1088 1251
Swahili sw sw 1089 1252
Turkmen tk tk 1090
Uzbek – Latin uz uz-uz 1091 1254
Tatar tt tt 1092 1251
Bengali – India bn bn 1093
Punjabi pa pa 1094
Gujarati gu gu 1095
Oriya or or 1096
Tamil ta ta 1097
Telugu te te 1098
Kannada kn kn 1099
Malayalam ml ml 1100
Assamese as as 1101
Marathi mr mr 1102
Sanskrit sa sa 1103
Mongolian mn mn 1104 1251
Tibetan bo bo 1105
Welsh cy cy 1106
Khmer km km 1107
Lao lo lo 1108
Burmese my my 1109
Galician gl 1110 1252
Konkani 1111
Manipuri 1112
Sindhi sd sd 1113
Syriac 1114
Sinhala; Sinhalese si si 1115
Amharic am am 1118
Kashmiri ks ks 1120
Nepali ne ne 1121
Frisian – Netherlands 1122
Filipino 1124
Divehi; Dhivehi; Maldivian dv dv 1125
Edo 1126
Igbo – Nigeria 1136
Guarani – Paraguay gn gn 1140
Latin la la 1142
Somali so so 1143
Maori mi mi 1153
HID (Human Interface Device) 1279
Arabic – Iraq ar ar-iq 2049 1256
Chinese – China zh zh-cn 2052
German – Switzerland de de-ch 2055 1252
English – Great Britain en en-gb 2057 1252
Spanish – Mexico es es-mx 2058 1252
French – Belgium fr fr-be 2060 1252
Italian – Switzerland it it-ch 2064 1252
Dutch – Belgium nl nl-be 2067 1252
Norwegian – Nynorsk nn no-no 2068 1252
Portuguese – Portugal pt pt-pt 2070 1252
Romanian – Moldova ro ro-mo 2072
Russian – Moldova ru ru-mo 2073
Serbian – Latin sr sr-sp 2074 1250
Swedish – Finland sv sv-fi 2077 1252
Azeri – Cyrillic az az-az 2092 1251
Gaelic – Ireland gd gd-ie 2108
Malay – Brunei ms ms-bn 2110 1252
Uzbek – Cyrillic uz uz-uz 2115 1251
Bengali – Bangladesh bn bn 2117
Mongolian mn mn 2128
Arabic – Egypt ar ar-eg 3073 1256
Chinese – Hong Kong SAR zh zh-hk 3076
German – Austria de de-at 3079 1252
English – Australia en en-au 3081 1252
French – Canada fr fr-ca 3084 1252
Serbian – Cyrillic sr sr-sp 3098 1251
Arabic – Libya ar ar-ly 4097 1256
Chinese – Singapore zh zh-sg 4100
German – Luxembourg de de-lu 4103 1252
English – Canada en en-ca 4105 1252
Spanish – Guatemala es es-gt 4106 1252
French – Switzerland fr fr-ch 4108 1252
Arabic – Algeria ar ar-dz 5121 1256
Chinese – Macau SAR zh zh-mo 5124
German – Liechtenstein de de-li 5127 1252
English – New Zealand en en-nz 5129 1252
Spanish – Costa Rica es es-cr 5130 1252
French – Luxembourg fr fr-lu 5132 1252
Bosnian bs bs 5146
Arabic – Morocco ar ar-ma 6145 1256
English – Ireland en en-ie 6153 1252
Spanish – Panama es es-pa 6154 1252
French – Monaco fr 6156 1252
Arabic – Tunisia ar ar-tn 7169 1256
English – Southern Africa en en-za 7177 1252
Spanish – Dominican Republic es es-do 7178 1252
French – West Indies fr 7180
Arabic – Oman ar ar-om 8193 1256
English – Jamaica en en-jm 8201 1252
Spanish – Venezuela es es-ve 8202 1252
Arabic – Yemen ar ar-ye 9217 1256
English – Caribbean en en-cb 9225 1252
Spanish – Colombia es es-co 9226 1252
French – Congo fr 9228
Arabic – Syria ar ar-sy 10241 1256
English – Belize en en-bz 10249 1252
Spanish – Peru es es-pe 10250 1252
French – Senegal fr 10252
Arabic – Jordan ar ar-jo 11265 1256
English – Trinidad en en-tt 11273 1252
Spanish – Argentina es es-ar 11274 1252
French – Cameroon fr 11276
Arabic – Lebanon ar ar-lb 12289 1256
English – Zimbabwe en 12297 1252
Spanish – Ecuador es es-ec 12298 1252
French – Cote d’Ivoire fr 12300
Arabic – Kuwait ar ar-kw 13313 1256
English – Phillippines en en-ph 13321 1252
Spanish – Chile es es-cl 13322 1252
French – Mali fr 13324
Arabic – United Arab Emirates ar ar-ae 14337 1256
Spanish – Uruguay es es-uy 14346 1252
French – Morocco fr 14348
Arabic – Bahrain ar ar-bh 15361 1256
Spanish – Paraguay es es-py 15370 1252
Arabic – Qatar ar ar-qa 16385 1256
English – India en en-in 16393
Spanish – Bolivia es es-bo 16394 1252
Spanish – El Salvador es es-sv 17418 1252
Spanish – Honduras es es-hn 18442 1252
Spanish – Nicaragua es es-ni 19466 1252
Spanish – Puerto Rico es es-pr 20490 1252

Gary Golomb

Original from http://www.networkforensics.com/2010/11/25/identifying-the-country-of-origin-for-a-malware-pe-executable/