cNotes 検索 一覧 カテゴリ

ACH Transfer canceled - CVE2011-3544

Published: 2012/02/02

また増えてきましたが、このjava系のマルウェアのウィルスチェックの対応が遅い。。。

ただ単に流行っていないからってことならいいですが。


若干手法が変わりました。


最近のパターンの文面。

サブジェクトのバリエーションは多数。

 ACH_transfer_rejected 
 ACH_payment_canceled 
 ACH_payment_rejected 
 Rejected_ACH_transfer
 Your_ACH_transfer 
 ACH_transaction_canceled 
 Rejected_ACH_transaction 
 Your_ACH_transaction 
 ACH_Transfer_canceled 
 Rejected_ACH_payment 

文中の誘導URL。これもパターンの「js.js」。


一段目のジャンプ先の「js.js」の中身。もう一回ジャンプ。


二段目のジャンプ先の中身。いままでは難読化とかjavascriptとかかんでましたが

ストレートな感じになります。


ファイルの正体

 Ooo.jar

https://www.virustotal.com/file/368b159b72294b162d929a134f76dbf3b23bc2c20a6744ad07a54181b6bf2019/analysis/1328144477/

(2/43)

 rhi.jar

https://www.virustotal.com/file/ba54abeed3478ab3a7fc33afb7ee4ff9494cdb3b0f32596b8b3ef15c938eebbd/analysis/1328156411/

(3/43)

 lib.php (PDF)

https://www.virustotal.com/file/deb7232027ae1b41dd1c16441c66c5c4dd0f9422eebefd6f50de1f2581280770/analysis/1328156509/

(2/41)


文中のURL
http://minalimo.com/K9DNfNRu/index.html
http://newheightsdr.com/LaV4inWa/index.html
http://demosricerca.it/aRpcdCjd/index.html
http://primecareplushh.com/8KQZuSAy/index.html
http://abahayam.com/aRpcdCjd/index.html
http://alphapointsoftware.com/1Tj4e0PY/index.html
http://drupal.ne-ws.it/8KQZuSAy/index.html
http://eyewearstars.com/1Tj4e0PY/index.html
http://eyewearstars.com/aRpcdCjd/index.html
http://ftp.samisalami.com/LaV4inWa/index.html
http://ftp.sanddollartitle.com/2u8eKNHo/index.html
http://ftp.sanddollartitle.com/aRpcdCjd/index.html
http://glare.it/LaV4inWa/index.html
http://impiantieolici.com/1Tj4e0PY/index.html
http://accommodationinarg.com.ar/QYv6Ud5g/index.html
http://alphapointsoftware.com/aRpcdCjd/index.html
http://ftp.samisalami.com/1Tj4e0PY/index.html
http://impiantieolici.com/LaV4inWa/index.html
http://maerlipinte.ch/aRpcdCjd/index.html
http://samwep.com/aRpcdCjd/index.html
http://schillingdoor.com/8KQZuSAy/index.html
http://ufukjinofertil.com/1Tj4e0PY/index.html
http://ufukjinofertil.com/LaV4inWa/index.html
http://123-movie-download-review.com/aRpcdCjd/index.html
http://abahayam.com/2u8eKNHo/index.html
http://deltaufficio.it/8KQZuSAy/index.html
http://drupal.ne-ws.it/1Tj4e0PY/index.html
http://erniegrey.com/aRpcdCjd/index.html
http://fcwattenwil.ch/2u8eKNHo/index.html
http://ftp.sanddollartitle.com/1Tj4e0PY/index.html
http://ftp.sanddollartitle.com/8KQZuSAy/index.html
http://hotel-sicily.it/8KQZuSAy/index.html
http://krystal-group.co.uk/1Tj4e0PY/index.html
http://krystal-group.co.uk/2u8eKNHo/index.html
http://minalimo.com/oug9a9RP/index.html
http://moderncommunications.pt/2u8eKNHo/index.html
http://newheightsdr.com/1Tj4e0PY/index.html
http://novospektr.ru/2u8eKNHo/index.html
http://novospektr.ru/LaV4inWa/index.html
http://radiofabbrica.ilbello.com/aRpcdCjd/index.html
http://rhymeglowbooks.com/2u8eKNHo/index.html
http://s356873066.onlinehome.fr/1Tj4e0PY/index.html
http://s356873066.onlinehome.fr/8KQZuSAy/index.html
http://schillingdoor.com/aRpcdCjd/index.html
http://stpetedentistry.com/2u8eKNHo/index.html
http://tlahui.us/p4wkkHFB/index.html
http://123-movie-download-review.com/2u8eKNHo/index.html
http://195.202.169.58/2u8eKNHo/index.html
http://195.202.169.58/LaV4inWa/index.html
http://abahayam.com/LaV4inWa/index.html
http://accommodationinarg.com.ar/UVaBCsYx/index.html
http://citysportspicks.com/2u8eKNHo/index.html
http://deltaufficio.it/aRpcdCjd/index.html
http://demosricerca.it/1Tj4e0PY/index.html
http://demosricerca.it/8KQZuSAy/index.html
http://drupal.ne-ws.it/2u8eKNHo/index.html
http://drupal.ne-ws.it/aRpcdCjd/index.html
http://erniegrey.com/2u8eKNHo/index.html
http://hotel-sicily.it/2u8eKNHo/index.html
http://hotel-sicily.it/LaV4inWa/index.html
http://ihraa.org/1Tj4e0PY/index.html
http://ihraa.org/2u8eKNHo/index.html
http://impiantieolici.com/aRpcdCjd/index.html
http://ivmstore.com/LaV4inWa/index.html
http://lucanaagricola.com/UVaBCsYx/index.html
http://lucanaagricola.com/Z8QgMpRH/index.html
http://maerlipinte.ch/LaV4inWa/index.html
http://minalimo.com/3TXcGGS0/index.html
http://minalimo.com/f9oYYmiY/index.html
http://minalimo.com/qcTzUTgD/index.html
http://moderncommunications.pt/1Tj4e0PY/index.html
http://moderncommunications.pt/8KQZuSAy/index.html
http://moderncommunications.pt/aRpcdCjd/index.html
http://newheightsdr.com/aRpcdCjd/index.html
http://obuuc.org/1Tj4e0PY/index.html
http://obuuc.org/8KQZuSAy/index.html
http://obuuc.org/LaV4inWa/index.html
http://primecareplushh.com/1Tj4e0PY/index.html
http://riseandshinecleaning.com.au/1Tj4e0PY/index.html
http://riseandshinecleaning.com.au/8KQZuSAy/index.html
http://riseandshinecleaning.com.au/LaV4inWa/index.html
http://s356873066.onlinehome.fr/2u8eKNHo/index.html
http://samwep.com/LaV4inWa/index.html
http://schillingdoor.com/2u8eKNHo/index.html
http://stpetedentistry.com/8KQZuSAy/index.html
http://ufukjinofertil.com/8KQZuSAy/index.html
http://123-movie-download-review.com/8KQZuSAy/index.html
http://195.202.169.58/1Tj4e0PY/index.html
http://accommodationinarg.com.ar/3vyLwkQz/index.html
http://accommodationinarg.com.ar/UxDCNMYN/index.html
http://alphapointsoftware.com/2u8eKNHo/index.html
http://citysportspicks.com/LaV4inWa/index.html
http://deltaufficio.it/1Tj4e0PY/index.html
http://deltaufficio.it/2u8eKNHo/index.html
http://deltaufficio.it/LaV4inWa/index.html
http://eyewearstars.com/2u8eKNHo/index.html
http://eyewearstars.com/LaV4inWa/index.html
http://ftp.samisalami.com/2u8eKNHo/index.html
http://ftp.samisalami.com/aRpcdCjd/index.html
http://ftp.sanddollartitle.com/LaV4inWa/index.html
http://glare.it/aRpcdCjd/index.html
http://ihraa.org/LaV4inWa/index.html
http://ihraa.org/aRpcdCjd/index.html
http://impiantieolici.com/2u8eKNHo/index.html
http://ivmstore.com/8KQZuSAy/index.html
http://ivmstore.com/aRpcdCjd/index.html
http://krystal-group.co.uk/aRpcdCjd/index.html
http://lucanaagricola.com/dMCRgZsj/index.html
http://lucanaagricola.com/vCfM6RFC/index.html
http://maerlipinte.ch/1Tj4e0PY/index.html
http://minalimo.com/2anzwibi/index.html
http://minalimo.com/3Z8KthUW/index.html
http://minalimo.com/AcA11zXE/index.html
http://minalimo.com/V7nxGLL1/index.html
http://minalimo.com/zYygPNJD/index.html
http://minalimo.com/zv13jia5/index.html
http://moderncommunications.pt/LaV4inWa/index.html
http://newheightsdr.com/8KQZuSAy/index.html
http://primecareplushh.com/LaV4inWa/index.html
http://radiofabbrica.ilbello.com/2u8eKNHo/index.html
http://radiofabbrica.ilbello.com/8KQZuSAy/index.html
http://rhymeglowbooks.com/1Tj4e0PY/index.html
http://rhymeglowbooks.com/LaV4inWa/index.html
http://riseandshinecleaning.com.au/2u8eKNHo/index.html
http://s356873066.onlinehome.fr/LaV4inWa/index.html
http://samwep.com/1Tj4e0PY/index.html
http://samwep.com/2u8eKNHo/index.html
http://schillingdoor.com/1Tj4e0PY/index.html
http://stpetedentistry.com/1Tj4e0PY/index.html
http://stpetedentistry.com/aRpcdCjd/index.html
http://surftherocks.com/2u8eKNHo/index.html
http://surftherocks.com/8KQZuSAy/index.html
http://surftherocks.com/LaV4inWa/index.html
http://tlahui.us/okjm2byF/index.html
http://tlahui.us/rWgcQ5VD/index.html

AS等の情報

nameip逆引きASAS name
hotel-sicily.it212.239.26.166web12.aziendeitalia.com.3313INET-AS_BT_Italia_S.p.A.Italy
lucanaagricola.com93.95.218.17ns1.trovanome.it.3313INET-AS_BT_Italia_S.p.A.Italy
schillingdoor.com173.184.121.2ns1.personalcomputer.net.7029WINDSTREAM_-_Windstream_Communications_IncUnitedStates
erniegrey.com74.208.42.39perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
minalimo.com50.21.179.97perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
s356873066.onlinehome.fr82.165.112.27kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
alphapointsoftware.com216.119.135.130a2s40.a2hosting.com.12129123NET_-_123.Net_Inc.UnitedStates
ftp.sanddollartitle.com168.144.192.80sanddollartitle.com.14166SOFTCOMCA_Softcom_IncCanada
123-movie-download-review.com209.217.224.197coleman.nswebhost.com.16626GNAXNET-AS_-_Global_Net_Access_LLCUnitedStates
accommodationinarg.com.ar209.217.235.21win6.nswebhost.com.16626GNAXNET-AS_-_Global_Net_Access_LLCUnitedStates
riseandshinecleaning.com.au74.81.82.99srv1.hosting-you.com.16626GNAXNET-AS_-_Global_Net_Access_LLCUnitedStates
obuuc.org65.18.196.199host2.uuserver.net.19916ASTRUM-0001_-_OLM_LLCUnitedStates
primecareplushh.com67.19.231.213d5.e7.1343.static.theplanet.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
tlahui.us204.93.193.125bugatti.mochahost.com.23352SERVERCENTRAL_-_Server_Central_NetworkUnitedStates
ihraa.org222.165.255.246ip-246-255-static.velo.net.id.24207EXPRESSNET-AS-ID_PT._Net2Cyber_IndonesiaIndonesia
fcwattenwil.ch85.10.198.133login-12.loginserver.ch.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
maerlipinte.ch85.10.198.133login-12.loginserver.ch.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
moderncommunications.pt46.4.82.71ns1.agamids.com.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
radiofabbrica.ilbello.com46.4.45.54mail.ilbello.com.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
deltaufficio.it62.149.231.130host130-231-149-62.serverdedicati.aruba.it.31034ARUBA-ASN_Aruba_S.p.A._-_NetworkItaly
citysportspicks.com72.47.217.86alliancewebdesign.com.31815MEDIATEMPLE_-_Media_Temple_Inc.UnitedStates
stpetedentistry.com70.32.105.234newserver.com.31815MEDIATEMPLE_-_Media_Temple_Inc.UnitedStates
eyewearstars.com184.154.227.9ns1.siteground254.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
krystal-group.co.uk69.175.104.178cl126.justhost.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
samwep.com184.107.41.4iwsc.samwep.com.32613IWEB-AS_-_iWeb_Technologies_Inc.Canada
ftp.samisalami.com46.252.18.115flores.ispgateway.de.34011DOMAINFACTORY_domainfactory_GmbHGermany
ivmstore.com216.172.185.47NONE36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
rhymeglowbooks.com173.192.111.24PSS003.win.hostgator.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
surftherocks.com50.22.11.20bennington.accountservergroup.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
glare.it207.32.189.59NONE36444NEXCESS-NET_-_NEXCESS.NET_L.L.C.UnitedStates
demosricerca.it81.29.148.91eris.servicedomus.it.39616SWITCHWARD-AS_Switchward_&_Trostmann_AGItaly
impiantieolici.com208.87.243.92siva.xisto.com.40676PSYCHZ_-_Psychz_NetworksUnitedStates
ufukjinofertil.com31.210.56.31pls4.webevi.com.42910SADECEHOSTING-COM_Hosting_Internet_Hizmetleri_Ltd_StiTurkey
abahayam.com124.150.140.85NONE45945WEBSERVER-MY_Acme_Commerce_Sdb_Bhd_Malayia_NetworkMalaysia
newheightsdr.com66.147.244.74box774.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
drupal.ne-ws.it195.88.6.232linweb01.ne-ws.it.48815CRITICALCASE_CriticalCase_srlItaly

 Domain: mediapoolstarnberg.de
 Nserver: ns1.knallhart.de
 Nserver: ns2.knallhart.de
 Nserver: ns3.knallhart.de
 Status: connect
 Changed: 2010-06-21T13:10:15+02:00
 
 CountryCode: DE
 
 213.160.86.91
   
 inetnum:        213.160.86.0 -  213.160.87.255
 netname:        KNALLHART1
 descr:          Knallhart Marketing GmbH
 descr:          Voltastrasse 5
 descr:          13355 Berlin
 country:        DE
   Domain Name: SPERIMITOS.COM
   Registrar: NAMESECURE.COM
   Whois Server: whois.namesecure.com
   Referral URL: http://www.namesecure.com
   Name Server: DNS1.NAMESECURE.COM
   Name Server: DNS2.NAMESECURE.COM
   Status: clientTransferProhibited
   Updated Date: 16-nov-2011
   Creation Date: 16-nov-2011
   Expiration Date: 16-nov-2012
 
 74.207.249.36
 
 NetRange:       74.207.224.0 - 74.207.255.255
 CIDR:           74.207.224.0/19
 OriginAS:       
 NetName:        LINODE-US
 NetHandle:      NET-74-207-224-0-1
 Parent:         NET-74-0-0-0-0
 NetType:        Direct Allocation
 Comment:        This block is used for static customer allocations.
 RegDate:        2009-01-14
 Updated:        2010-07-27
 Country:        US

[カテゴリ:spam観察日記]

by jyake