Operation Ghost Click: DNSChanger Malware Ring Dismantled

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).

The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants.

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 205.128.73.105. For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud

If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.


(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement

The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus

In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges

All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?

The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge

The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies

The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Other Things You Must Read

TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.

TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!

Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"

SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital

Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).

Read More

Duqu: You're safe unless you use TrueType Fonts?

Two of the malware analysts in my lab have been complaining to me that the malware they see everyday is getting boring - the primary attacks that we see in the largest volume are the same thing over and over and over again.

Let's be thankful for that! The big news in the malware world yesterday came when Microsoft announced a work around for Duqu, named by researchers in the CrySyS Lab (the Laboratory for Cryptography and System Security at Budapest University of Technology and Economics) because it prefixes some created filenames with the letters "~DQ".

On October 14, 2011, CrySyS contacted Symantec to get some help analyzing the malware, and Symantec released an extremely informative 67 page PDF report called W32.Duqu: The Precursor to the next Stuxnet. (The link is to version 1.3 of the report, updated on November 1, 2011).

There have been two IP addresses confirmed to be associated with Duqu and serving as Command & Control. The first IP was in India - 206.183.111.97. The second was in Hungary - 77.241.93.160. Traffic flow to either of these IP addresses would be a strong positive indicator of a Duqu infection! Both sites are down now.

The first server was announced to be down on October 31st in stories such as this one -- India Shuts Server Linked to Duqu Computer Virus that shares some details of a server located at 200 employee data center Web Werks.

The second server was at Combell in Belgium -- as described in stories such as this one -- Duqu Hackers Shift to Belgium After India Raid.

Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we've seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Here's a VirusTotal report of the better detected of those pieces of code, which had the MD5 value e1e00c2d5815e4129d8ac503f6fac095. This file is not "Duqu" but is rather "an .exe file related to Duqu" which is a much larger program (this one is only 9k in size).

(Click for VirusTotal Report)

Non "generic" definitions for this malware included:

Avast: Win32:Duqu-F
Emsisoft: Trojan.Win32.Stuxnet!IK
Ikarus: Trojan.Win32.Stuxnet
Microsoft: Trojan:Win32/Duqu.E
NOD32: probably a variant of Win32/Duqu.A
TrendMicro: TROJ_DUQU.AJ

Symantec mentioned MD5s

9749d38ae9b9ddd81b50aad679ee87ec
Wed Jun 01, 03:25:18 2011
Stealing information

4c804ef67168e90da2c3da58b60c3d16
Mon Oct 17 17:07:47 2011
Reconnaissance module

856a13fcae0407d83499fc9c3dd791ba
Mon Oct 17 16:26:09 2011
Lifespan extender

92aa68425401ffedcfba4235584ad487
Tue Aug 09 21:37:39 2011
Stealing information

In each of those above, the link on the MD5 will show you the VirusTotal report. I find it interesting that TrendMicro consistently names these files "TROJ_SHADOW.AG" which makes me wonder if they had independently discovered this malware family prior to the naming as Duqu by the CrySyS team.

Symantec calls attention to the fact that several of these files show compile dates AFTER the public disclosure of the existence of Duqu.

Delivery Mechanism

Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

We now know from Microsoft more about this exploit. On November 3, 2011, Microsoft released this Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

Microsoft has released a work around. The exploit is taking advantage of the fact that there is a problem in one of the DLL's called by TrueType in certain circumstances. If a system denies access to that .DLL, T2EMBED.DLL, then the exploit would fail to work.

The workaround can be executed like this, but Microsoft cautions that applications that rely on EMBEDDED TrueType fonts could then fail to display properly:

(For older Windows versions)
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

(For newer Windows versions)
Takeown.exe /f "%windir%\system32\t2embed.dll"

For more details on the workaround, please see Microsoft Security Advisory: Vulnerability in TrueType font parsing could allow elevation of privileges which offers a "Fix It For Me" button to apply the work around for you.

Duqu Compared to Stuxnet

The Symantec report has 22 or so pages of original Symantec content, and then has as the majority of it's body the report by the CrySyS Lab, which has a section that compares the Duqu and Stuxnet code. In particular, the Decryption function seems to be nearly identical.

Read More

ACH spam uses intermediary sites to deliver malware punch

If you have an email address in the United States, either you or your spam filter is certainly familiar with this spam by now:



The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.

The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.

The problem has been getting worse because of two "upgrades" by the spammers.

First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.

The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.

To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.

What happens when we visit that page?

The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:

www.xmjhx.com /czc /js.js
and
vscreative.com /images /js.js


The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"

A rerun of the same site pointed me instead to a blackhole exploit kit page at:

milloworks.com /main.php? page=890639ab2b6c1ab8

Which caused me to fetch:

milloworks.com /w.php ?f=70&e=4

This caused me to download the file:

www.vncoach.com /editors /nachareport20111910.pdf.exe





Another attempt sent me to:

tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from

This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.

After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.

The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.

In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today:

HOSTNAME PATH
================================ ===================================
preseis.com /7x1tyg6.html
server.softhost.org /
silverfruit.com.ec /t2jr.html
newsletter.stable-jo.com /t43z.html
www.Shoubra-prep.com /4x8l.html
marcinjarzabek.cp5.win.pl /16ih2.html
professionalroofing.co.uk /ph4xn5.html
host272.hostmonster.com /~fdflockc/6xh9l1e.html
sethsauction.com /6gh1u7.html
www.corazondejesus.net /4cpjx.html
murciaopina.com /tq3e.html
www.digitalhomna.com /
latinholdings.com.mx /4ghy.html
108cms.com /3n7s.html
way2tutorial.com /g02lwbp.html
nimbuscertifications.com /4qt4.html
ultimateselena.org /0tpno.html
www.efficientorganizationnw.com /rk1pb.html
trinity-work-shop.test-rackspeed.de /
hosting31.serverhs.org /~ecommerc/zu9iah7.html
www.todotaringa.com /0pya.html
stremyfoot.com /q37hdi.html
www.ganarlaprimitiva.com /g5knqjr.html
manaiz.com /a2w7q.html
caspsurveys.org /zmu2.html
www.ironsidegroup.pk /kq6bz.html
temporary-toilets.com /mczkg.html
0342962.netsolhost.com /716txi.html
babilhotel.com /5bf0html
customcakesnw.com /not8.html
tomralph.net /vsz8c.html
www.panelpeople.com /1060.html
goldencrownhotel.com /zf9w3uh.html
www.launas.fr /jjssgx4.html
dev.crm-warehouse.be /uclt4.html
alassite.com /2hyl0.html
02be375.netsolhost.com /6mu1v.html
evo2inc.com /o3wyn.html
campossaab.net /g1hrhtml
inzanepix.com /19v4sx.html
specialrental.com /p5y6.html
iscsconferencerecording.com /am2wdh.html
www.murciaopina.com /rt5dmy.html
buynanoclean.com /3c6tp7.html
froda.com /5kbnak.html
globaliellc.com /1o36z.html
mslbx.com /~servatus/soexlyy.html
indexpoker.com /
diversco.com /6fxo.html
www.acclaimcabinetscom.au /7xoslgn.html
mvlmobile.in /d34c.html
weightlosspersonaltrainerconsulting.com /1decnf9.html
vandieautomatisering.nl /linhe.html
intestinoirritable.ws /e66uc.html
fmwwrestling.us /gsld0d.html
abeauty.com.au /
sokullupasahotel.com /fvn4upi.html
ants.net.au /yxe4ma.html
lkco.in /a8l876j.html
static-64-184-73-69nocdirect.com /~afroland/eh8jvre.html
damarchesi.it /6m2rdlx.html
trinity-work-shop.de /5t5ub.html
mycountylink.com /f6atze.html
artigianatopasella.com /9ghy.html
ohtobeyoungagain.com /t4cj.html
syedaliahmad.com /3mlnfh.html
www.geelongeisteddfod.com.au /13pspj.html
www.tommysparger.com /ci87qyp.html
nt-ves.ac.th /
diipbmis.nl /l374dcthtml
bakulpharma.com /
etno-plants.ro /
professionalroofingco.uk /vmba.html
altiaproducts.com /29f4.html
dezoetezaak.nl /anxl5.html
ozurfa.com.tr /ras5.html
lexxstore.de /7nsenqhtml
meirmodiin.org /~meirm/kk22.html
siflindia.com /27swn2.html
grapediscounts.com /fjlj9k.html
fastincomebiz.com /hsd6g7b.html
thebeadrotisserie.com /vel42.html
46.23.64.241 /~jamias/lc50sf.html
fastincomesystem.biz /u8g4tn.html
surebg.co.za /xltlgs.html
110.4.42.93 /bx94l.html
www.resourceelementlimited.com /
graph2profit.com /utxfc.html
shriganpatiproduction.net /r05qv4h.html
micrene.com /ivowl1rhtml
pdscientific.com /tl1s.html
www.wanithai.com /u7pv30b.html
ads-protection.com /fs3lax.html
sl3-vgt.vgthosting.com /~worknetw/fj2bvn.html
fb.servatusdev.com /~servdev/56iy2.html
hedy-lamarr.org /n2tgsb.html
niritech.com /pxkf.html
212.68.54.148 /~radyoruz/qsdsw9m.html
www.pushtiieshakti.com /783i.html
empiresallies-secrets.com /k0bayr.html
tarjetaspilos.com /9tvd.html
voongo.com /asfti1/index.html
searchtroop.net /04sh.html
altagallura.it /bd5jhtml
gran-mar.com.ar /4p6sbu7.html
fullart.com.pe /3c55egr.html
sanianishtar.info /7o2dd.html
umtelecom.com /h10krhtml
reformasyreparaciones.com /76kdp.html
206.217.196.47 /~dumpsche/kes773.html
acumenauditors.com.au /vfa9.html
www.rippt.com /t8859u.html
trunghieu.com /hsx1n3r.html
delallosa.com /mtgy99y.html
lainformacion.us /snkk1.html
refritermo.com /j9ps4y.html
www.grahajodoh.com /bqe6zk.html
etakip.com /yg4jl9.html
carifind.com /t718xhhtml
jpvarleyllc.com /kna4wx.html
www.shatteredhope.gr /lnsp.html
autoblog.fastincomesystem.biz /~cheers/gyjde.html
reformhaus-mehnert.de /2vn9yr5.html
indianbookshop.co.in /5b9fgs.html
host272.hostmonstercom /~fdflockc/6xh9l1e.html
enbramex.com /mpvsgi2.html
onlinesurat.com /mb2d.html
surrealtopia.com /hmsuu.html
el-salto-fishing.com /agg0noo.html
simplefact.mx /xln290.html
bofco.in /htrc.html
iznillahcng.com /y5le.html
static-64-184-73-69.nocdirect.com /~afroland/eh8jvre.html
vizonix.com /c1ptwqs/index.html
visionciudadconsultores.com /dwqopc/index.html
winsbyinc.com /0sm9j5/index.html
www.tradehalls.com /8eeh2.html
4income-solutions.com /93e3x.html
locanda-stazzo-bona.com /
jade.nseasy.com /~manishar/7xl9bd.html
GUHDNS.COM /md8g.html
livedata.it /ssao.html
www.manojengg.com /scv2.html
sexshop.com.tr /3igtv8.html
perfumeylenceria.com /joiwku.html
server10.namecheaphosting.com /
freunde-klinik-ottobeuren.de /oryh1.html
floristeriasdecoaromascostarica.com /kh31.html
portalinternational.us /5ecf2z.html
molinas.eu /nz4ot.html
clubfirst.org /2ba0jra.html
thepentad.com /eg3eje/index.html
www.dsmodular.com /qt21ta.html
hotelmarinepalace.com /0493.html
teresita.com.mx /hcrji4t.html
198.63.48.81 /z116c.html
punjnud.com /3sllgkihtml
inkostudio.com /y0ao0c.html
tuncakyavas.com /jfifrpb.html
hkf.huber-babenhausen.de /xyy4dg3.html
watson.timeweb.ru /~kostos/7euyd25.html
vscreative.com /x882.html
lemilano.fr /
labeltula.it /e51rsq.html
www.acclaimcabinets.com.au /
shelterpropertydealers.com /97qf.html
dotmile.com /cvpa4jj.html
www.clubbayard.com /w6kzi.html
myauto.co.nz /odmz0chtml
whydodogs.org /jdab40.html
bigrace2012.com /3ri1vt.html
www.launas-hebergement.com /fj9p1.html
www.neoplastic.gr /0qedzw.html
ittefaqpipe.com /2inp.html
efficientorganizationnw.com /ix84c.html
indosyslife.com /cdwwto.html
newmonicaarts.org /
avicarusa.com /uyxasjr.html
atlantidesardegna.it /61fyvx.html
baratrucks.com /n6j5m.html
heromw.com /602ka.html
web3.biz /4jdsydk.html
eqsync.com /bx5wfm.html
weblinksubmissions.com /1bgypq/index.html

Read More

New York City "Uniform Traffic Ticket" tops spammed malware

Email attachments that contain malicious code are still being used to infect computers and steal the data found on those computers. While it is easy to find people who discount this threat, believing no one would be foolish enough to open one of these email attachments, the criminals are working hard to make their approaches more convincing.



Today we've seen more than 11,000 copies of their newest attempt come in to the UAB Spam Data Mine. The email received looks like this:







The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:



Received: from nyc.gov ([167.153.240.51]) by xx.xx.xx.xx; Wed, 03 Aug 2011 12:20:46 +0530



The City of New York is the registrant for every IP address beginning with "167.153.*.*" - in fact 167.153.240.51 is the IP address of the website "nyc.gov" where Mayor Bloomberg's homepage can be found.



The other false information is the date. Both the date in the Received: tag and the date in the "Date:" tag have been falsified to make it seem this email has been in your in box for several days by the time you see it.



Just from the falsified header, we would predict that this email is going to be in the same family of malware as the "IRS Notification" and "UPS Notification" emails seen earlier this week, which also contained falsified Received: tags.



The zip file contains an executable file disguised as a PDF file:







When the malware is launched, it connects to "sfkdhjnsfjg.ru" on 195.189.226.117.



from there it fetches "/ftp/g.php" and "pusk3.exe" -- exactly the same as the IRS Notification spam and the UPS Notification spam.



VirusTotal Report

---

Another group of spam messages this morning pretends to be a notice that you have received money via Western Union.



The attachment is of course a virus:



VirusTotal Report.



Money Transfer Information

MONEY TRANSFER INFORMATION

Money Transfer Information 00375

Money Transfer Notice

MONEY TRANSFER NOTICE

MONEY TRANSFER NOTICE 06457

Western Union: Money Transfer For You

WESTERN UNION: MONEY TRANSFER FOR YOU

Western Union: Remittance Advice

WESTERN UNION: REMITTANCE ADVICE

Western Union: Transfer Of Money

WESTERN UNION: TRANSFER OF MONEY

Western Union: You Have Money Transfer

WESTERN UNION: YOU HAVE MONEY TRANSFER

Western Union: You have received a money transfer

WESTERN UNION: YOU HAVE RECEIVED A MONEY TRANSFER

---

Another top spammed malware attachment today delivers emails with these subjects:



Re: End of July Statement Required

Re: FW: End of July Stat.

Re: FW: End of July Statement

Re: FW: End of July Statement required

Re: FW: End of July Statement Required

Re: FW: End of July Statement REquired

Re: FW: End of July Statement REquired!

Re: FW: End of July Stat. required

Re: FW: End of July Stat. Required



The email body says simply:

Hallo,

As requested i give you open Invoices issued to you as per 5th Aug. 2011

Regards

DEENA BUCKLEY

Here's the VirusTotal report for this one.

Read More

Inter-company Invoice spam leads to Malware

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!



count | mbox

-------+---------------------

1 | 2011-08-10 05:45:00

6 | 2011-08-10 06:00:00

3 | 2011-08-10 06:15:00

85 | 2011-08-10 06:30:00

1 | 2011-08-10 06:45:00

3 | 2011-08-10 07:00:00

1 | 2011-08-10 07:15:00

301 | 2011-08-10 07:30:00

252 | 2011-08-10 07:45:00

260 | 2011-08-10 08:00:00

247 | 2011-08-10 08:15:00

229 | 2011-08-10 08:30:00

(12 rows)





The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:



Aleris International Corp.

AMR Corporation Corp.

Anic Corp.

Arch Coal Corp.

ATFT Corp

Beazer Homes USA Corp.

Boyd Gaming Corp.

Brookdale Senior Living Corp.

Hyland Software Corp.

KPMG Corp.

Kraft Foods Corp.

Miltek Corp.

Novellus Systems Corp.

OSN Corp.

PDC Corp.

Safeco Corporation Corp.

WLC Corp.



Subject can be:



Re: Fw: Inter-company inv. from (company)

Re: Fw: Inter-company inv. from (company)

Re: Fw: Inter-company invoice from (company)

Re: Fw: Intercompany invoice from (company)

Re: Fw: Corp. invoice from (company)



A couple example emails follow:

---

Hi

Attached the inter-company inv. for the period January 2010 til December 2010.



Thanks a lot for support setting up this process.



CHERYL Flowers

Kraft Foods Corp.

---

Hi



Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot



Asher GIFFORD

Anic Corp.

---

Good day





Attached the intercompany invoice for the period January 2010 til December 2010.



Thanks a lot for supporting this process

MAYOLA LEARY

Aleris International Corp.

---

The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:



Intinvoice_08.6.2011_2222341965.zip

or

Intinvoice_08.4.2011_Q167829.zip

or

Invoice_08.6.2011_T40099.zip





We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.



So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.



So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!



When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.



We also talked to "ss-partners.ru" on 77.120.114.100

and to "ledinit.ru" on 78.111.51.121



The connection to armaturan.ru did:



GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}



which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?



From ss-partners.ru we fetched a file:



GET /dump/light.exe



which dropped an approximately 70k file onto our local machine.



Then we went back to armaturan.ru and sent another get:



GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485



Any bets on whether that ahash is the MD5 of the file I just downloaded?



Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.



At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:



C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE



Odd, I don't recall having a file named that?



Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.



Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.



Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.



You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.



78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.



fileuplarc.com

hunterdriveez.com

asdfasdgqghgsw.cx.cc



I'll email the owner and get those taken down right away! (smirk)



-----------



person: Vugar Kouliyev

address: 44, J.Jabbarli str., Baku, Azerbaijan

mnt-by: MNT-SOL

e-mail: vugar@kouliyev.com

phone: +994124971234

nic-hdl: VK1161-RIPE

source: RIPE # Filtered



route: 78.111.48.0/20

descr: SOL ISP

origin: AS43637

mnt-by: MNT-SOL

source: RIPE # Filtered



route: 78.111.51.0/24

descr: SOL ISP

origin: AS43637

mnt-by: MNT-SOL

source: RIPE # Filtered



----------------



Armaturan.ru on 94.199.48.152 also has a sordid history.



That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru



I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.



person: Zemancsik Zsolt

address: Victor Hugo u. 18-22.

address: 1132 Budapest

address: Hungary

phone: +36 203609059

e-mail: darwick@cyberground.hu

nic-hdl: DARW-RIPE

mnt-by: DARW-MNT

source: RIPE # Filtered



route: 94.199.48.0/21

descr: Originated from 23VNet Network

origin: AS30836

mnt-by: NET23-MNT

source: RIPE # Filtered



========

ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC



person: Volia DC Admin contact

address: Ukraine, Kiev, Kikvidze st. 1/2

phone: +38 044 2852716

abuse-mailbox: abuse@dc.volia.com

nic-hdl: VDCA-RIPE

mnt-by: VOLIA-DC-MNT

source: RIPE # Filtered



route: 77.120.96.0/19

descr: Volia more specific route

origin: AS25229

mnt-by: VOLIA-MNT

mnt-lower: VOLIA-MNT

source: RIPE # Filtered

Read More

Fake IRS emails continue to spread Gov-related Zeus

We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

receiving_date | machine | path
----------------+------------------------------+-------------------------------
2011-07-13 | usbanking-security.com | /tax_report.pdf.exe
2011-07-15 | federalsecusrity.com | /pending-taxes.pdf.exe
2011-07-19 | irs-report-link.com | /tax-report.pdf.exe
2011-07-19 | irs-taxes-report.com | /tax-report.pdf.exe
2011-07-19 | taxreport-irs.com | /tax-report.pdf.exe
2011-07-20 | alerts-federalresrve.com | /rejected_wire.pdf.exe
2011-07-20 | nacha-alert.com | /rejected_transaction.pdf.exe
2011-07-20 | nacha-alert.org | /rejected_transfer.pdf.exe
2011-07-20 | reports-federalreserve.com | /rejected_wire.pdf.exe
2011-07-21 | national-security-agency.com | /blocked_list.exe
2011-07-21 | national-security-agency.com | /token_security_update.exe
2011-07-21 | nsa-security.net | /blocked-list.exe
2011-07-21 | nsa-security.net | /token_security_update.exe
2011-07-22 | irs-downloads.com | /00000700955160US.exe
2011-07-22 | irs-files.com | /00000700955170US.exe
2011-07-26 | irs-alert.com | /00000700955770US.exe
2011-07-27 | nacha-transactions.org | /304694305894903.pdf.exe
2011-07-27 | taxes-refund.com | /00000700975770US.exe
2011-07-27 | www.nacha-rejected.com | /304694305894903.pdf.exe
2011-07-28 | fdic-updates.com | /system_update_07_28.exe
2011-07-29 | federalreserve-alert.com | /transaction_report.pdf.exe
2011-07-29 | taxes-security.com | /00000700955060US.pdf.exe
2011-08-03 | irs-report.com | /00000770950077US.exe
2011-08-05 | tax-irs-report.com | /0000770950077US.pdf.exe
(24 rows)

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

jruioljslsitjpfv.biz
wlnzkqmohuhzqyra.info
tjjhmtjlziebo.net
jpkpbxkoxwijzijr.info

As we have seen before, the malware ALSO fetches a copy of "heap_v206_mails.exe" after it successfully installs itself.

The spam started at 4:45 AM (Central time), peaked at 5:15, and then began to trickle off. (We group in 15 minute windows.)

count | 15 minute spam block
-------+---------------------
3 | 2011-08-05 04:45:00
3 | 2011-08-05 05:00:00
406 | 2011-08-05 05:15:00
86 | 2011-08-05 05:30:00
(4 rows)

This morning's malware is largely undetected:

A VirusTotal Report shows 6 of 43 AV products know that this is a virus.

I have to praise Microsoft for being the only one of the six to correctly call this Zeus (Zbot).

Email subjects we've seen on this morning's campaign:

count | subject
-------+-------------------------------------------------------------------
38 | Change Confirmation
4 | Does your company is registered outstanding tax debt
5 | Does your company is registered tax debt
1 | Does your enterprise including unpaid tax debts
1 | Does your enterprise listed outstanding tax debts
1 | Does your enterprise listed unpaid tax debts
30 | Federal Tax payment rejected
1 | For your company including unpaid tax debts
1 | For your company is registered outstanding tax debts
1 | For your company is registered tax debts
1 | For your company is registered unpaid tax debt
1 | For your company listed tax debts
2 | For your enterprise listed tax debt
70 | Internal Revenue Service
24 | Internal Revenue Service (IRS)
19 | Internal Revenue Service United States Department of the Treasury
32 | IRS.gov
31 | IRS.gov US
19 | Notice of Underreported Income
35 | Payment IRS.gov
50 | Support IRS.gov
40 | Treasury Inspector General for Tax Administration
42 | U.S. Department of the Treasury
1 | Your company including outstanding tax debts
1 | Your company including tax debts
1 | Your company listed outstanding tax debt
2 | Your company listed tax debts
1 | Your enterprise including outstanding tax debts
2 | Your enterprise is registered unpaid tax debts
1 | Your enterprise listed outstanding tax debt
1 | Your enterprise listed unpaid tax debt
39 | Your IRS payment rejected
(32 rows)


A mix and match of sender name, sender-username, and sender-domain creates the from addresses:

count | sender_name
-------+---------------------------------------------------------------------
19 | "Internal Revenue Service"
18 | "Internal Revenue Service (IRS)"
27 | "Internal Revenue Service (IRS.gov)"
29 | "Internal Revenue Service United States Department of the Treasury"
23 | "Internal Revenue Service US Department of the Treasury"
29 | "IRS.gov"
18 | "IRS.gov United States Department of the Treasury"
30 | "IRS.gov US"
22 | "IRS.gov US Department of the Treasury"
21 | "IRS United States Department of the Treasury"
41 | "Payment IRS.gov"
37 | "Support IRS.gov"
23 | "The Consumer Financial Protection"
37 | "Treasury Inspector General for Tax Administration"
30 | "United States Department of the Treasury"
19 | "U.S. Department of the Treasury"
23 | "US_IRS"
17 | "USIRS"
35 | "US IRS.gov"


count | sender_username
-------+--------------------------
12 | admin
8 | adminnistration
9 | alerts
16 | cunsumer
29 | delivery
15 | e-file
10 | finance
33 | frboard-webannouncements
36 | govdelivery
26 | info
17 | information
14 | inspector
8 | internal_revenue_service
30 | Internal_Revenue_Service
18 | irs
6 | news
14 | news-alerts
8 | no-reply
28 | privacy_policy
22 | protection
5 | public
5 | report
9 | service
17 | stats
22 | subscriber
12 | subscriptions
13 | support
13 | usirc
14 | USIRS
13 | usttb
16 | webannouncements
(31 rows)

count | sender_domain
-------+-------------------
93 | antifraud.irs.gov
73 | info.irs.gov
78 | irs.gov
91 | irs.security.gov
73 | irs.taxes.gov
90 | service.irs.gov
(6 rows)

Read More

Love Map Spam spreads Fake AV

The top malware spam of the morning is another Fake Antivirus product, but as you'll see in today's story, its a very familiar Fake AV product.

About 1/2 of 1% of the spam we've seen this morning is a new campaign spreading a fake antivirus dropper. The malware has a fair detection rating, with 17 of 43 AV products detecting the malware according to VirusTotal in their report for MD5 = 635aceafb9ee4236e50e7d0f6c7a7895.

The email bodies use some random misspellings, but look something like this:

---

WELCOME S'EXOHOLIC!
Are YOU real Se'X-tourist?
Check ->>NEW PROJECT: WORLD MAP OF PUSSY
With Best Wishes ...
www. love-map .com

---

and then have an attachment, which is the malware.


(the website, love-map.com, doesn't actually exist...)

The attachment filename is "map_of_love###.zip" where ### is a random number of length between 4 and 8 characters.

Thanks to the UAB Spam Data Mine, it's fairly easy for us to link this new Fake AV spam campaign to previous ones. For example -- we've seen 520 distinct sending IP addresses so far this morning, so let's ask "What was the most common email subject that those same sending IP addresses sent us yesterday?"

43 of the IP addresses sent us an email yesterday with the subject "Your credit card is blocked"

33 sent us "Your credit card has been blocked"

That's the same campaign we've been seeing since we wrote about it on July 23rd (See: MasterCard Spam Leads to Fake AV.

The other big fake AV campaign from yesterday was one pretending to be the US Postal Service. We saw 814 copies of that spam yesterday, and 154 of them came from computers that also sent us today's "Love Map" malware.

The USPS subjects were like:

DELIVERY CONFIRMATION FROM USPS 0785164
From USPS 0735590
USPS Attention 03867076
USPS: DELIVER CONFIRMATION - FAILED 1399475
USPS Delivery Confirmation 1784864
USPS id. 167163
Your USPS id. 12286791

With random upper and lowercasing, and random numbers in each subject.

Here's a VirusTotal report on yesterday's USPS Fake AV, which had MD5 = a9a01f061d336774276fabb1827b91cc

How closely related are the "MasterCard" fake AV and the USPS fake AV? Well, they are actually IDENTICAL. Its the same Malware. Here's a report extract from yesterday showing the email subject and the MD5 of the attached malware:

Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
From USPS 38864359 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 954859 | a9a01f061d336774276fabb1827b91cc
From USPS 8815572 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 6498394 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 73687208 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 56547166 | a9a01f061d336774276fabb1827b91cc
USPS ATTENTION 578975 | a9a01f061d336774276fabb1827b91cc
USPS: DELIVER CONFIRMATION - FAILED 9211453 | a9a01f061d336774276fabb1827b91cc
From USPS 5174072 | a9a01f061d336774276fabb1827b91cc
USPS Attention 1201554 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 92444941 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 575555 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 82259351 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 139017 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 381458 | a9a01f061d336774276fabb1827b91cc
From USPS 3877947 | a9a01f061d336774276fabb1827b91cc
USPS id. 45254864 | a9a01f061d336774276fabb1827b91cc

OK, back to today . . .

Here are the "Love Map" spam subject lines we've seen it use so far:


BABECITIES IN WORLD 2011
BABEPLACES IN WORLD 2011
BABIESPLACES IN WORLD 2011
BABIESSPOTS IN WORLD 2011
BABYCITIES IN WORLD 2011
BABYSPOTS IN WORLD 2011
GIRLSCITIES IN WORLD 2011
GIRLSPLACES IN WORLD 2011
GIRLSSPOTS IN WORLD 2011
HOT BABE CITIES 2011
HOT BABE PLACES 2011
HOT BABE SPOTS 2011
HOT BABIES CITIES 2011
HOT BABIES SPOTS 2011
HOT BABY CITIES 2011
HOT BABY PLACES 2011
HOT BABY SPOTS 2011
HOT CITIES OF BABE 2011
HOTCITIES OF BABIES 2011
HOT CITIES OF BABY 2011
HOTCITIES OF BABY 2011
HOT CITIES OF GIRLS 2011
HOTCITIES OF GIRLS 2011
HOTCITIES OF PUSSY 2011
HOT GIRLS PLACES 2011
HOT GIRLS SPOTS 2011
HOT PLACES OF BABE 2011
HOT PLACES OF BABIES 2011
HOTPLACES OF BABIES 2011
HOT PLACES OF BABY 2011
HOTPLACES OF BABY 2011
HOT PLACES OF GIRLS 2011
HOTPLACES OF GIRLS 2011
HOT PLACES OF GIRLS IN WORLD
HOTPLACES OF GIRLS IN WORLD
HOT PLACES OF PUSSIES 2011
HOTPLACES OF PUSSIES 2011
HOT PLACES OF PUSSY 2011
HOTPLACES OF PUSSY 2011
HOT PUSSIES CITIES 2011
HOT PUSSIES SPOTS 2011
HOT PUSSY CITIES 2011
HOT PUSSY PLACES 2011
HOT PUSSY SPOTS 2011
HOT SPOTS OF BABE 2011
HOT SPOTS OF BABIES 2011
HOTSPOTS OF BABIES 2011
HOT SPOTS OF GIRLS 2011
HOTSPOTS OF GIRLS 2011
HOT SPOTS OF GIRLS IN WORLD
HOT SPOTS OF PUSSIES 2011
HOTSPOTS OF PUSSIES 2011
HOT SPOTS OF PUSSY 2011
HOTSPOTS OF PUSSY 2011
JULY-2011: BABECITIES IN WORLD
JULY-2011: BABEPLACES IN WORLD
JULY-2011: BABIESCITIES IN WORLD
JULY-2011: BABIESPLACES IN WORLD
JULY-2011: BABYCITIES IN WORLD
JULY-2011: BABYPLACES IN WORLD
JULY-2011: GIRLSPLACES IN WORLD
JULY-2011: GIRLSSPOTS IN WORLD
JULY-2011: HOT BABE CITIES
JULY-2011: HOT BABE PLACES
JULY-2011: HOT BABE SPOTS
JULY-2011: HOT BABIES CITIES
JULY-2011: HOT BABY CITIES
JULY-2011: HOT BABY PLACES
JULY-2011: HOT BABY SPOTS
JULY-2011: HOT CITIES OF BABE
JULY-2011: HOTCITIES OF BABE
JULY-2011: HOTCITIES OF BABIES
JULY-2011: HOT CITIES OF BABY
JULY-2011: HOTCITIES OF BABY
JULY-2011: HOT CITIES OF GIRLS
JULY-2011: HOTCITIES OF GIRLS
JULY-2011: HOT CITIES OF PUSSIES
JULY-2011: HOTCITIES OF PUSSIES
JULY-2011: HOT CITIES OF PUSSY
JULY-2011: HOTCITIES OF PUSSY
JULY-2011: HOT GIRLS PLACES
JULY-2011: HOT GIRLS SPOTS
JULY-2011: HOT PLACES OF BABE
JULY-2011: HOTPLACES OF BABE
JULY-2011: HOT PLACES OF BABIES
JULY-2011: HOTPLACES OF BABIES
JULY-2011: HOT PLACES OF BABY
JULY-2011: HOTPLACES OF BABY
JULY-2011: HOT PLACES OF GIRLS
JULY-2011: HOTPLACES OF GIRLS
JULY-2011: HOTPLACES OF PUSSIES
JULY-2011: HOT PLACES OF PUSSY
JULY-2011: HOTPLACES OF PUSSY
JULY-2011: HOT PUSSIES CITIES
JULY-2011: HOT PUSSIES PLACES
JULY-2011: HOT PUSSIES SPOTS
JULY-2011: HOT PUSSY CITIES
JULY-2011: HOT PUSSY PLACES
JULY-2011: HOT PUSSY SPOTS
JULY-2011: HOTSPOTS OF BABE
JULY-2011: HOT SPOTS OF BABIES
JULY-2011: HOTSPOTS OF BABIES
JULY-2011: HOT SPOTS OF BABY
JULY-2011: HOTSPOTS OF BABY
JULY-2011: HOT SPOTS OF GIRLS
JULY-2011: HOTSPOTS OF GIRLS
JULY-2011: HOT SPOTS OF PUSSIES
JULY-2011: HOTSPOTS OF PUSSIES
JULY-2011: HOT SPOTS OF PUSSY
JULY-2011: LOVE BABE CITIES
JULY-2011: LOVE BABE PLACES
JULY-2011: LOVE BABIES SPOTS
JULY-2011: LOVE BABY CITIES
JULY-2011: LOVE BABY PLACES
JULY-2011: LOVE BABY SPOTS
JULY-2011: LOVE CITIES IN WORLD
JULY-2011: LOVE CITIES OF BABE
JULY-2011: LOVECITIES OF BABE
JULY-2011: LOVECITIES OF BABIES
JULY-2011: LOVE CITIES OF BABY
JULY-2011: LOVECITIES OF BABY
JULY-2011: LOVECITIES OF GIRLS
JULY-2011: LOVE CITIES OF PUSSIES
JULY-2011: LOVECITIES OF PUSSIES
JULY-2011: LOVE CITIES OF PUSSY
JULY-2011: LOVECITIES OF PUSSY
JULY-2011: LOVE GIRLS CITIES
JULY-2011: LOVE GIRLS PLACES
JULY-2011: LOVE GIRLS SPOTS
JULY-2011: LOVE MAP OF BABE
JULY-2011: LOVE MAP OF BABIES
JULY-2011: LOVE-MAP OF BABIES
JULY-2011: LOVE-MAP OF BABY
JULY-2011: LOVE MAP OF GIRLS
JULY-2011: LOVE-MAP OF GIRLS
JULY-2011: LOVE MAP OF PUSSIES
JULY-2011: LOVE-MAP OF PUSSIES
JULY-2011: LOVE MAP OF PUSSY
JULY-2011: LOVE-MAP OF PUSSY
JULY-2011: LOVEPLACES IN WORLD
JULY-2011: LOVE PLACES OF BABE
JULY-2011: LOVEPLACES OF BABE
JULY-2011: LOVE PLACES OF BABIES
JULY-2011: LOVEPLACES OF BABIES
JULY-2011: LOVE PLACES OF BABY
JULY-2011: LOVEPLACES OF BABY
JULY-2011: LOVE PLACES OF GIRLS
JULY-2011: LOVEPLACES OF GIRLS
JULY-2011: LOVE PLACES OF PUSSIES
JULY-2011: LOVEPLACES OF PUSSIES
JULY-2011: LOVE PLACES OF PUSSY
JULY-2011: LOVE PUSSIES PLACES
JULY-2011: LOVE PUSSIES SPOTS
JULY-2011: LOVE PUSSY CITIES
JULY-2011: LOVE PUSSY PLACES
JULY-2011: LOVE SPOTS IN WORLD
JULY-2011: LOVESPOTS IN WORLD
JULY-2011: LOVE SPOTS OF BABE
JULY-2011: LOVESPOTS OF BABE
JULY-2011: LOVE SPOTS OF BABIES
JULY-2011: LOVE SPOTS OF BABY
JULY-2011: LOVE SPOTS OF GIRLS
JULY-2011: LOVESPOTS OF GIRLS
JULY-2011: LOVE SPOTS OF PUSSIES
JULY-2011: LOVESPOTS OF PUSSIES
JULY-2011: LOVE SPOTS OF PUSSY
JULY-2011: LOVESPOTS OF PUSSY
JULY-2011: PUSSYCITIES IN WORLD
JULY-2011: PUSSYPLACES IN WORLD
JULY-2011: SEXYCITIES IN WORLD
JULY-2011: SEXY LOVE MAP
JULY-2011: SEXY LOVE-MAP
JULY-2011: SEXY PLACES IN WORLD
JULY-2011: SEXYPLACES IN WORLD
JULY-2011: SEXYSPOTS IN WORLD
JULY-2011: SEXY WORLD MAP
JULY-2011: WORLD MAP OF BABE
JULY-2011: WORLD-MAP OF BABE
JULY-2011: WORLD MAP OF BABIES
JULY-2011: WORLD-MAP OF BABIES
JULY-2011: WORLD MAP OF BABY
JULY-2011: WORLD-MAP OF BABY
JULY-2011: WORLD MAP OF GIRLS
JULY-2011: WORLD-MAP OF GIRLS
JULY-2011: WORLD-MAP OF PUSSIES
JULY-2011: WORLD MAP OF PUSSY
JULY-2011: WORLD-MAP OF PUSSY
KNOW-HOW: BABECITIES IN WORLD
KNOW-HOW: BABEPLACES IN WORLD
KNOW-HOW: BABESPOTS IN WORLD
KNOW-HOW: BABIESCITIES IN WORLD
KNOW-HOW: BABIESSPOTS IN WORLD
KNOW-HOW: BABYCITIES IN WORLD
KNOW-HOW: BABYPLACES IN WORLD
KNOW-HOW: BABYSPOTS IN WORLD
KNOW-HOW: GIRLSPLACES IN WORLD
KNOW-HOW: HOT BABE PLACES
KNOW-HOW: HOT BABE SPOTS
KNOW-HOW: HOT BABIES CITIES
KNOW-HOW: HOT BABIES PLACES
KNOW-HOW: HOT BABIES SPOTS
KNOW-HOW: HOT BABY CITIES
KNOW-HOW: HOT BABY PLACES
KNOW-HOW: HOT BABY SPOTS
KNOW-HOW: HOT CITIES OF BABE
KNOW-HOW: HOTCITIES OF BABE
KNOW-HOW: HOT CITIES OF BABIES
KNOW-HOW: HOTCITIES OF BABIES
KNOW-HOW: HOT CITIES OF BABY
KNOW-HOW: HOTCITIES OF BABY
KNOW-HOW: HOT CITIES OF PUSSIES
KNOW-HOW: HOTCITIES OF PUSSY
KNOW-HOW: HOT GIRLS CITIES
KNOW-HOW: HOT GIRLS SPOTS
KNOW-HOW: HOT PLACES OF BABE
KNOW-HOW: HOTPLACES OF BABE
KNOW-HOW: HOT PLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABY
KNOW-HOW: HOT PLACES OF GIRLS
KNOW-HOW: HOTPLACES OF GIRLS
KNOW-HOW: HOT PLACES OF PUSSIES
KNOW-HOW: HOT PLACES OF PUSSY
KNOW-HOW: HOTPLACES OF PUSSY
KNOW-HOW: HOT PUSSIES CITIES
KNOW-HOW: HOT PUSSIES PLACES
KNOW-HOW: HOT PUSSY PLACES
KNOW-HOW: HOT SPOTS OF BABE
KNOW-HOW: HOTSPOTS OF BABE
KNOW-HOW: HOT SPOTS OF BABY
KNOW-HOW: HOTSPOTS OF BABY
KNOW-HOW: HOTSPOTS OF GIRLS
KNOW-HOW: HOTSPOTS OF PUSSY
KNOW-HOW: LOVE BABE CITIES
KNOW-HOW: LOVE BABE SPOTS
KNOW-HOW: LOVE BABIES CITIES
KNOW-HOW: LOVE BABIES PLACES
KNOW-HOW: LOVE BABY CITIES
KNOW-HOW: LOVE CITIES IN WORLD
KNOW-HOW: LOVECITIES IN WORLD
KNOW-HOW: LOVECITIES OF BABE
KNOW-HOW: LOVECITIES OF BABIES
KNOW-HOW: LOVE CITIES OF BABY
KNOW-HOW: LOVECITIES OF BABY
KNOW-HOW: LOVE CITIES OF GIRLS
KNOW-HOW: LOVECITIES OF PUSSIES
KNOW-HOW: LOVE CITIES OF PUSSY
KNOW-HOW: LOVECITIES OF PUSSY
KNOW-HOW: LOVE GIRLS CITIES
KNOW-HOW: LOVE GIRLS SPOTS
KNOW-HOW: LOVE MAP OF BABE
KNOW-HOW: LOVE MAP OF BABIES
KNOW-HOW: LOVE MAP OF BABY
KNOW-HOW: LOVE-MAP OF BABY
KNOW-HOW: LOVE MAP OF GIRLS
KNOW-HOW: LOVE-MAP OF GIRLS
KNOW-HOW: LOVE MAP OF PUSSIES
KNOW-HOW: LOVE-MAP OF PUSSIES
KNOW-HOW: LOVE MAP OF PUSSY
KNOW-HOW: LOVE-MAP OF PUSSY
KNOW-HOW: LOVE PLACES IN WORLD
KNOW-HOW: LOVEPLACES IN WORLD
KNOW-HOW: LOVE PLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABIES
KNOW-HOW: LOVE PLACES OF BABY
KNOW-HOW: LOVEPLACES OF BABY
KNOW-HOW: LOVE PLACES OF GIRLS
KNOW-HOW: LOVEPLACES OF GIRLS
KNOW-HOW: LOVE PLACES OF PUSSIES
KNOW-HOW: LOVEPLACES OF PUSSIES
KNOW-HOW: LOVE PLACES OF PUSSY
KNOW-HOW: LOVEPLACES OF PUSSY
KNOW-HOW: LOVE PUSSIES CITIES
KNOW-HOW: LOVE PUSSIES PLACES
KNOW-HOW: LOVE PUSSIES SPOTS
KNOW-HOW: LOVE PUSSY CITIES
KNOW-HOW: LOVE PUSSY PLACES
KNOW-HOW: LOVE PUSSY SPOTS
KNOW-HOW: LOVE SPOTS IN WORLD
KNOW-HOW: LOVE SPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABIES
KNOW-HOW: LOVESPOTS OF BABY
KNOW-HOW: LOVE SPOTS OF GIRLS
KNOW-HOW: LOVESPOTS OF GIRLS
KNOW-HOW: LOVE SPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSY
KNOW-HOW: PUSSYPLACES IN WORLD
KNOW-HOW: PUSSYSPOTS IN WORLD
KNOW-HOW: SEXY CITIES IN WORLD
KNOW-HOW: SEXYCITIES IN WORLD
KNOW-HOW: SEXY LOVE MAP
KNOW-HOW: SEXY LOVE-MAP
KNOW-HOW: SEXY PLACES IN WORLD
KNOW-HOW: SEXYPLACES IN WORLD
KNOW-HOW: SEXY SPOTS IN WORLD
KNOW-HOW: SEXYSPOTS IN WORLD
KNOW-HOW: SEXY WORLD MAP
KNOW-HOW: SEXY WORLD-MAP
KNOW-HOW: WORLD MAP OF BABE
KNOW-HOW: WORLD-MAP OF BABE
KNOW-HOW: WORLD MAP OF BABIES
KNOW-HOW: WORLD-MAP OF BABIES
KNOW-HOW: WORLD MAP OF BABY
KNOW-HOW: WORLD-MAP OF BABY
KNOW-HOW: WORLD MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF PUSSIES
KNOW-HOW: WORLD MAP OF PUSSY
LOVE BABE CITIES 2011
LOVE BABE PLACES 2011
LOVE BABE SPOTS 2011
LOVE BABIES CITIES 2011
LOVE BABIES PLACES 2011
LOVE BABIES SPOTS 2011
LOVE BABY CITIES 2011
LOVE BABY PLACES 2011
LOVE BABY SPOTS 2011
LOVE CITIES IN WORLD 2011
LOVE CITIES OF BABE 2011
LOVECITIES OF BABE 2011
LOVE CITIES OF BABIES 2011
LOVECITIES OF BABIES 2011
LOVE CITIES OF BABY 2011
LOVECITIES OF BABY 2011
LOVE CITIES OF GIRLS 2011
LOVECITIES OF GIRLS 2011
LOVE CITIES OF PUSSIES 2011
LOVECITIES OF PUSSIES 2011
LOVE CITIES OF PUSSY 2011
LOVECITIES OF PUSSY 2011
LOVE GIRLS CITIES 2011
LOVE GIRLS PLACES 2011
LOVE GIRLS SPOTS 2011
LOVE MAP OF BABE 2011
LOVE-MAP OF BABE 2011
LOVE MAP OF BABIES 2011
LOVE-MAP OF BABIES 2011
LOVE MAP OF BABY 2011
LOVE-MAP OF BABY 2011
LOVE-MAP OF GIRLS 2011
LOVE MAP OF PUSSIES 2011
LOVE-MAP OF PUSSY 2011
LOVE PLACES IN WORLD 2011
LOVEPLACES IN WORLD 2011
LOVE PLACES OF BABE 2011
LOVEPLACES OF BABE 2011
LOVE PLACES OF BABIES 2011
LOVEPLACES OF BABIES 2011
LOVEPLACES OF BABY 2011
LOVE PLACES OF GIRLS 2011
LOVEPLACES OF GIRLS 2011
LOVE PLACES OF GIRLS IN WORLD
LOVEPLACES OF GIRLS IN WORLD
LOVE PLACES OF PUSSIES 2011
LOVEPLACES OF PUSSIES 2011
LOVE PLACES OF PUSSY 2011
LOVEPLACES OF PUSSY 2011
LOVE PUSSIES PLACES 2011
LOVE PUSSIES SPOTS 2011
LOVE PUSSY CITIES 2011
LOVE PUSSY PLACES 2011
LOVE PUSSY SPOTS 2011
LOVE SPOTS IN WORLD 2011
LOVESPOTS IN WORLD 2011
LOVESPOTS OF BABE 2011
LOVE SPOTS OF BABIES 2011
LOVESPOTS OF BABIES 2011
LOVE SPOTS OF BABY 2011
LOVESPOTS OF BABY 2011
LOVE SPOTS OF GIRLS 2011
LOVESPOTS OF GIRLS 2011
LOVE SPOTS OF GIRLS IN WORLD
LOVE SPOTS OF PUSSIES 2011
LOVESPOTS OF PUSSIES 2011
LOVE SPOTS OF PUSSY 2011
LOVESPOTS OF PUSSY 2011
PUSSIESCITIES IN WORLD 2011
PUSSIESPLACES IN WORLD
PUSSIESSPOTS IN WORLD 2011
PUSSYCITIES IN WORLD 2011
PUSSYPLACES IN WORLD 2011
PUSSYSPOTS IN WORLD 2011
SEXY CITIES IN WORLD 2011
SEXY LOVE MAP 2011
SEXY LOVE-MAP 2011
SEXY PLACES IN WORLD 2011
SEXYPLACES IN WORLD 2011
SEXY SPOTS IN WORLD
SEXYSPOTS IN WORLD
SEXY WORLD MAP 2011
SUMMER-2011: BABECITIES IN WORLD
SUMMER-2011: BABEPLACES IN WORLD
SUMMER-2011: BABIESCITIES IN WORLD
SUMMER-2011: BABIESPLACES IN WORLD
SUMMER-2011: BABYCITIES IN WORLD
SUMMER-2011: BABYPLACES IN WORLD
SUMMER-2011: GIRLSCITIES IN WORLD
SUMMER-2011: GIRLSPLACES IN WORLD
SUMMER-2011: GIRLSSPOTS IN WORLD
SUMMER-2011: HOT BABE SPOTS
SUMMER-2011: HOT BABIES CITIES
SUMMER-2011: HOT BABIES PLACES
SUMMER-2011: HOT BABY PLACES
SUMMER-2011: HOT CITIES OF BABE
SUMMER-2011: HOTCITIES OF BABE
SUMMER-2011: HOT CITIES OF BABIES
SUMMER-2011: HOT CITIES OF BABY
SUMMER-2011: HOTCITIES OF BABY
SUMMER-2011: HOT CITIES OF GIRLS
SUMMER-2011: HOT CITIES OF PUSSIES
SUMMER-2011: HOT CITIES OF PUSSY
SUMMER-2011: HOTCITIES OF PUSSY
SUMMER-2011: HOT GIRLS CITIES
SUMMER-2011: HOTPLACES OF BABE
SUMMER-2011: HOT PLACES OF BABIES
SUMMER-2011: HOTPLACES OF BABIES
SUMMER-2011: HOT PLACES OF BABY
SUMMER-2011: HOTPLACES OF BABY
SUMMER-2011: HOT PLACES OF GIRLS
SUMMER-2011: HOTPLACES OF GIRLS
SUMMER-2011: HOT PLACES OF PUSSIES
SUMMER-2011: HOTPLACES OF PUSSIES
SUMMER-2011: HOT PLACES OF PUSSY
SUMMER-2011: HOTPLACES OF PUSSY
SUMMER-2011: HOT PUSSIES CITIES
SUMMER-2011: HOT PUSSIES PLACES
SUMMER-2011: HOT PUSSY CITIES
SUMMER-2011: HOT PUSSY SPOTS
SUMMER-2011: HOT SPOTS OF BABE
SUMMER-2011: HOTSPOTS OF BABE
SUMMER-2011: HOT SPOTS OF BABIES
SUMMER-2011: HOTSPOTS OF BABIES
SUMMER-2011: HOT SPOTS OF BABY
SUMMER-2011: HOTSPOTS OF BABY
SUMMER-2011: HOT SPOTS OF GIRLS
SUMMER-2011: HOTSPOTS OF GIRLS
SUMMER-2011: HOT SPOTS OF PUSSIES
SUMMER-2011: HOTSPOTS OF PUSSIES
SUMMER-2011: HOT SPOTS OF PUSSY
SUMMER-2011: HOTSPOTS OF PUSSY
SUMMER-2011: LOVE BABE CITIES
SUMMER-2011: LOVE BABE PLACES
SUMMER-2011: LOVE BABE SPOTS
SUMMER-2011: LOVE BABIES CITIES
SUMMER-2011: LOVE BABIES SPOTS
SUMMER-2011: LOVE BABY CITIES
SUMMER-2011: LOVE BABY PLACES
SUMMER-2011: LOVE CITIES IN WORLD
SUMMER-2011: LOVE CITIES OF BABE
SUMMER-2011: LOVECITIES OF BABE
SUMMER-2011: LOVECITIES OF BABIES
SUMMER-2011: LOVE CITIES OF BABY
SUMMER-2011: LOVECITIES OF BABY
SUMMER-2011: LOVE CITIES OF PUSSIES
SUMMER-2011: LOVECITIES OF PUSSIES
SUMMER-2011: LOVE CITIES OF PUSSY
SUMMER-2011: LOVECITIES OF PUSSY
SUMMER-2011: LOVE GIRLS CITIES
SUMMER-2011: LOVE GIRLS PLACES
SUMMER-2011: LOVE GIRLS SPOTS
SUMMER-2011: LOVE MAP OF BABE
SUMMER-2011: LOVE-MAP OF BABE
SUMMER-2011: LOVE MAP OF BABIES
SUMMER-2011: LOVE-MAP OF BABIES
SUMMER-2011: LOVE MAP OF BABY
SUMMER-2011: LOVE-MAP OF BABY
SUMMER-2011: LOVE-MAP OF GIRLS
SUMMER-2011: LOVE MAP OF PUSSIES
SUMMER-2011: LOVE-MAP OF PUSSIES
SUMMER-2011: LOVE MAP OF PUSSY
SUMMER-2011: LOVE-MAP OF PUSSY
SUMMER-2011: LOVE PLACES OF BABE
SUMMER-2011: LOVEPLACES OF BABE
SUMMER-2011: LOVE PLACES OF BABIES
SUMMER-2011: LOVEPLACES OF BABIES
SUMMER-2011: LOVE PLACES OF BABY
SUMMER-2011: LOVEPLACES OF BABY
SUMMER-2011: LOVE PLACES OF GIRLS
SUMMER-2011: LOVEPLACES OF GIRLS
SUMMER-2011: LOVE PLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSY
SUMMER-2011: LOVE PUSSIES CITIES
SUMMER-2011: LOVE PUSSIES PLACES
SUMMER-2011: LOVE PUSSIES SPOTS
SUMMER-2011: LOVE PUSSY CITIES
SUMMER-2011: LOVE PUSSY SPOTS
SUMMER-2011: LOVE SPOTS IN WORLD
SUMMER-2011: LOVESPOTS IN WORLD
SUMMER-2011: LOVE SPOTS OF BABE
SUMMER-2011: LOVESPOTS OF BABE
SUMMER-2011: LOVE SPOTS OF BABIES
SUMMER-2011: LOVESPOTS OF BABIES
SUMMER-2011: LOVE SPOTS OF BABY
SUMMER-2011: LOVESPOTS OF BABY
SUMMER-2011: LOVE SPOTS OF GIRLS
SUMMER-2011: LOVE SPOTS OF PUSSIES
SUMMER-2011: LOVESPOTS OF PUSSIES
SUMMER-2011: LOVE SPOTS OF PUSSY
SUMMER-2011: LOVESPOTS OF PUSSY
SUMMER-2011: PUSSYCITIES IN WORLD
SUMMER-2011: PUSSYPLACES IN WORLD
SUMMER-2011: SEXYCITIES IN WORLD
SUMMER-2011: SEXY LOVE MAP
SUMMER-2011: SEXY LOVE-MAP
SUMMER-2011: SEXY PLACES IN WORLD
SUMMER-2011: SEXYPLACES IN WORLD
SUMMER-2011: SEXY SPOTS IN WORLD
SUMMER-2011: SEXYSPOTS IN WORLD
SUMMER-2011: SEXY WORLD MAP
SUMMER-2011: SEXY WORLD-MAP
SUMMER-2011: WORLD MAP OF BABE
SUMMER-2011: WORLD-MAP OF BABE
SUMMER-2011: WORLD MAP OF BABIES
SUMMER-2011: WORLD MAP OF BABY
SUMMER-2011: WORLD-MAP OF BABY
SUMMER-2011: WORLD MAP OF GIRLS
SUMMER-2011: WORLD-MAP OF GIRLS
SUMMER-2011: WORLD MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSY
WORLD MAP OF BABE 2011
WORLD MAP OF BABIES 2011
WORLD-MAP OF BABIES 2011
WORLD-MAP OF BABY 2011
WORLD MAP OF GIRLS 2011
WORLD-MAP OF GIRLS 2011
WORLD MAP OF PUSSY 2011
WORLD-MAP OF PUSSY 2011
(532 rows)

Read More