ACH Transfer canceled - CVE2011-3544
Published: 2012/02/02
また増えてきましたが、このjava系のマルウェアのウィルスチェックの対応が遅い。。。
ただ単に流行っていないからってことならいいですが。
若干手法が変わりました。
最近のパターンの文面。
サブジェクトのバリエーションは多数。
ACH_transfer_rejected ACH_payment_canceled ACH_payment_rejected Rejected_ACH_transfer Your_ACH_transfer ACH_transaction_canceled Rejected_ACH_transaction Your_ACH_transaction ACH_Transfer_canceled Rejected_ACH_payment
文中の誘導URL。これもパターンの「js.js」。
一段目のジャンプ先の「js.js」の中身。もう一回ジャンプ。
二段目のジャンプ先の中身。いままでは難読化とかjavascriptとかかんでましたが
ストレートな感じになります。
ファイルの正体
Ooo.jar
(2/43)
rhi.jar
(3/43)
lib.php (PDF)
(2/41)
文中のURL |
---|
http://minalimo.com/K9DNfNRu/index.html |
http://newheightsdr.com/LaV4inWa/index.html |
http://demosricerca.it/aRpcdCjd/index.html |
http://primecareplushh.com/8KQZuSAy/index.html |
http://abahayam.com/aRpcdCjd/index.html |
http://alphapointsoftware.com/1Tj4e0PY/index.html |
http://drupal.ne-ws.it/8KQZuSAy/index.html |
http://eyewearstars.com/1Tj4e0PY/index.html |
http://eyewearstars.com/aRpcdCjd/index.html |
http://ftp.samisalami.com/LaV4inWa/index.html |
http://ftp.sanddollartitle.com/2u8eKNHo/index.html |
http://ftp.sanddollartitle.com/aRpcdCjd/index.html |
http://glare.it/LaV4inWa/index.html |
http://impiantieolici.com/1Tj4e0PY/index.html |
http://accommodationinarg.com.ar/QYv6Ud5g/index.html |
http://alphapointsoftware.com/aRpcdCjd/index.html |
http://ftp.samisalami.com/1Tj4e0PY/index.html |
http://impiantieolici.com/LaV4inWa/index.html |
http://maerlipinte.ch/aRpcdCjd/index.html |
http://samwep.com/aRpcdCjd/index.html |
http://schillingdoor.com/8KQZuSAy/index.html |
http://ufukjinofertil.com/1Tj4e0PY/index.html |
http://ufukjinofertil.com/LaV4inWa/index.html |
http://123-movie-download-review.com/aRpcdCjd/index.html |
http://abahayam.com/2u8eKNHo/index.html |
http://deltaufficio.it/8KQZuSAy/index.html |
http://drupal.ne-ws.it/1Tj4e0PY/index.html |
http://erniegrey.com/aRpcdCjd/index.html |
http://fcwattenwil.ch/2u8eKNHo/index.html |
http://ftp.sanddollartitle.com/1Tj4e0PY/index.html |
http://ftp.sanddollartitle.com/8KQZuSAy/index.html |
http://hotel-sicily.it/8KQZuSAy/index.html |
http://krystal-group.co.uk/1Tj4e0PY/index.html |
http://krystal-group.co.uk/2u8eKNHo/index.html |
http://minalimo.com/oug9a9RP/index.html |
http://moderncommunications.pt/2u8eKNHo/index.html |
http://newheightsdr.com/1Tj4e0PY/index.html |
http://novospektr.ru/2u8eKNHo/index.html |
http://novospektr.ru/LaV4inWa/index.html |
http://radiofabbrica.ilbello.com/aRpcdCjd/index.html |
http://rhymeglowbooks.com/2u8eKNHo/index.html |
http://s356873066.onlinehome.fr/1Tj4e0PY/index.html |
http://s356873066.onlinehome.fr/8KQZuSAy/index.html |
http://schillingdoor.com/aRpcdCjd/index.html |
http://stpetedentistry.com/2u8eKNHo/index.html |
http://tlahui.us/p4wkkHFB/index.html |
http://123-movie-download-review.com/2u8eKNHo/index.html |
http://195.202.169.58/2u8eKNHo/index.html |
http://195.202.169.58/LaV4inWa/index.html |
http://abahayam.com/LaV4inWa/index.html |
http://accommodationinarg.com.ar/UVaBCsYx/index.html |
http://citysportspicks.com/2u8eKNHo/index.html |
http://deltaufficio.it/aRpcdCjd/index.html |
http://demosricerca.it/1Tj4e0PY/index.html |
http://demosricerca.it/8KQZuSAy/index.html |
http://drupal.ne-ws.it/2u8eKNHo/index.html |
http://drupal.ne-ws.it/aRpcdCjd/index.html |
http://erniegrey.com/2u8eKNHo/index.html |
http://hotel-sicily.it/2u8eKNHo/index.html |
http://hotel-sicily.it/LaV4inWa/index.html |
http://ihraa.org/1Tj4e0PY/index.html |
http://ihraa.org/2u8eKNHo/index.html |
http://impiantieolici.com/aRpcdCjd/index.html |
http://ivmstore.com/LaV4inWa/index.html |
http://lucanaagricola.com/UVaBCsYx/index.html |
http://lucanaagricola.com/Z8QgMpRH/index.html |
http://maerlipinte.ch/LaV4inWa/index.html |
http://minalimo.com/3TXcGGS0/index.html |
http://minalimo.com/f9oYYmiY/index.html |
http://minalimo.com/qcTzUTgD/index.html |
http://moderncommunications.pt/1Tj4e0PY/index.html |
http://moderncommunications.pt/8KQZuSAy/index.html |
http://moderncommunications.pt/aRpcdCjd/index.html |
http://newheightsdr.com/aRpcdCjd/index.html |
http://obuuc.org/1Tj4e0PY/index.html |
http://obuuc.org/8KQZuSAy/index.html |
http://obuuc.org/LaV4inWa/index.html |
http://primecareplushh.com/1Tj4e0PY/index.html |
http://riseandshinecleaning.com.au/1Tj4e0PY/index.html |
http://riseandshinecleaning.com.au/8KQZuSAy/index.html |
http://riseandshinecleaning.com.au/LaV4inWa/index.html |
http://s356873066.onlinehome.fr/2u8eKNHo/index.html |
http://samwep.com/LaV4inWa/index.html |
http://schillingdoor.com/2u8eKNHo/index.html |
http://stpetedentistry.com/8KQZuSAy/index.html |
http://ufukjinofertil.com/8KQZuSAy/index.html |
http://123-movie-download-review.com/8KQZuSAy/index.html |
http://195.202.169.58/1Tj4e0PY/index.html |
http://accommodationinarg.com.ar/3vyLwkQz/index.html |
http://accommodationinarg.com.ar/UxDCNMYN/index.html |
http://alphapointsoftware.com/2u8eKNHo/index.html |
http://citysportspicks.com/LaV4inWa/index.html |
http://deltaufficio.it/1Tj4e0PY/index.html |
http://deltaufficio.it/2u8eKNHo/index.html |
http://deltaufficio.it/LaV4inWa/index.html |
http://eyewearstars.com/2u8eKNHo/index.html |
http://eyewearstars.com/LaV4inWa/index.html |
http://ftp.samisalami.com/2u8eKNHo/index.html |
http://ftp.samisalami.com/aRpcdCjd/index.html |
http://ftp.sanddollartitle.com/LaV4inWa/index.html |
http://glare.it/aRpcdCjd/index.html |
http://ihraa.org/LaV4inWa/index.html |
http://ihraa.org/aRpcdCjd/index.html |
http://impiantieolici.com/2u8eKNHo/index.html |
http://ivmstore.com/8KQZuSAy/index.html |
http://ivmstore.com/aRpcdCjd/index.html |
http://krystal-group.co.uk/aRpcdCjd/index.html |
http://lucanaagricola.com/dMCRgZsj/index.html |
http://lucanaagricola.com/vCfM6RFC/index.html |
http://maerlipinte.ch/1Tj4e0PY/index.html |
http://minalimo.com/2anzwibi/index.html |
http://minalimo.com/3Z8KthUW/index.html |
http://minalimo.com/AcA11zXE/index.html |
http://minalimo.com/V7nxGLL1/index.html |
http://minalimo.com/zYygPNJD/index.html |
http://minalimo.com/zv13jia5/index.html |
http://moderncommunications.pt/LaV4inWa/index.html |
http://newheightsdr.com/8KQZuSAy/index.html |
http://primecareplushh.com/LaV4inWa/index.html |
http://radiofabbrica.ilbello.com/2u8eKNHo/index.html |
http://radiofabbrica.ilbello.com/8KQZuSAy/index.html |
http://rhymeglowbooks.com/1Tj4e0PY/index.html |
http://rhymeglowbooks.com/LaV4inWa/index.html |
http://riseandshinecleaning.com.au/2u8eKNHo/index.html |
http://s356873066.onlinehome.fr/LaV4inWa/index.html |
http://samwep.com/1Tj4e0PY/index.html |
http://samwep.com/2u8eKNHo/index.html |
http://schillingdoor.com/1Tj4e0PY/index.html |
http://stpetedentistry.com/1Tj4e0PY/index.html |
http://stpetedentistry.com/aRpcdCjd/index.html |
http://surftherocks.com/2u8eKNHo/index.html |
http://surftherocks.com/8KQZuSAy/index.html |
http://surftherocks.com/LaV4inWa/index.html |
http://tlahui.us/okjm2byF/index.html |
http://tlahui.us/rWgcQ5VD/index.html |
AS等の情報
name | ip | 逆引き | AS | AS name | 国 |
---|---|---|---|---|---|
hotel-sicily.it | 212.239.26.166 | web12.aziendeitalia.com. | 3313 | INET-AS_BT_Italia_S.p.A. | Italy |
lucanaagricola.com | 93.95.218.17 | ns1.trovanome.it. | 3313 | INET-AS_BT_Italia_S.p.A. | Italy |
schillingdoor.com | 173.184.121.2 | ns1.personalcomputer.net. | 7029 | WINDSTREAM_-_Windstream_Communications_Inc | UnitedStates |
erniegrey.com | 74.208.42.39 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
minalimo.com | 50.21.179.97 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
s356873066.onlinehome.fr | 82.165.112.27 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
alphapointsoftware.com | 216.119.135.130 | a2s40.a2hosting.com. | 12129 | 123NET_-_123.Net_Inc. | UnitedStates |
ftp.sanddollartitle.com | 168.144.192.80 | sanddollartitle.com. | 14166 | SOFTCOMCA_Softcom_Inc | Canada |
123-movie-download-review.com | 209.217.224.197 | coleman.nswebhost.com. | 16626 | GNAXNET-AS_-_Global_Net_Access_LLC | UnitedStates |
accommodationinarg.com.ar | 209.217.235.21 | win6.nswebhost.com. | 16626 | GNAXNET-AS_-_Global_Net_Access_LLC | UnitedStates |
riseandshinecleaning.com.au | 74.81.82.99 | srv1.hosting-you.com. | 16626 | GNAXNET-AS_-_Global_Net_Access_LLC | UnitedStates |
obuuc.org | 65.18.196.199 | host2.uuserver.net. | 19916 | ASTRUM-0001_-_OLM_LLC | UnitedStates |
primecareplushh.com | 67.19.231.213 | d5.e7.1343.static.theplanet.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
tlahui.us | 204.93.193.125 | bugatti.mochahost.com. | 23352 | SERVERCENTRAL_-_Server_Central_Network | UnitedStates |
ihraa.org | 222.165.255.246 | ip-246-255-static.velo.net.id. | 24207 | EXPRESSNET-AS-ID_PT._Net2Cyber_Indonesia | Indonesia |
fcwattenwil.ch | 85.10.198.133 | login-12.loginserver.ch. | 24940 | HETZNER-AS_Hetzner_Online_AG_RZ | Germany |
maerlipinte.ch | 85.10.198.133 | login-12.loginserver.ch. | 24940 | HETZNER-AS_Hetzner_Online_AG_RZ | Germany |
moderncommunications.pt | 46.4.82.71 | ns1.agamids.com. | 24940 | HETZNER-AS_Hetzner_Online_AG_RZ | Germany |
radiofabbrica.ilbello.com | 46.4.45.54 | mail.ilbello.com. | 24940 | HETZNER-AS_Hetzner_Online_AG_RZ | Germany |
deltaufficio.it | 62.149.231.130 | host130-231-149-62.serverdedicati.aruba.it. | 31034 | ARUBA-ASN_Aruba_S.p.A._-_Network | Italy |
citysportspicks.com | 72.47.217.86 | alliancewebdesign.com. | 31815 | MEDIATEMPLE_-_Media_Temple_Inc. | UnitedStates |
stpetedentistry.com | 70.32.105.234 | newserver.com. | 31815 | MEDIATEMPLE_-_Media_Temple_Inc. | UnitedStates |
eyewearstars.com | 184.154.227.9 | ns1.siteground254.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
krystal-group.co.uk | 69.175.104.178 | cl126.justhost.com. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
samwep.com | 184.107.41.4 | iwsc.samwep.com. | 32613 | IWEB-AS_-_iWeb_Technologies_Inc. | Canada |
ftp.samisalami.com | 46.252.18.115 | flores.ispgateway.de. | 34011 | DOMAINFACTORY_domainfactory_GmbH | Germany |
ivmstore.com | 216.172.185.47 | NONE | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
rhymeglowbooks.com | 173.192.111.24 | PSS003.win.hostgator.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
surftherocks.com | 50.22.11.20 | bennington.accountservergroup.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
glare.it | 207.32.189.59 | NONE | 36444 | NEXCESS-NET_-_NEXCESS.NET_L.L.C. | UnitedStates |
demosricerca.it | 81.29.148.91 | eris.servicedomus.it. | 39616 | SWITCHWARD-AS_Switchward_&_Trostmann_AG | Italy |
impiantieolici.com | 208.87.243.92 | siva.xisto.com. | 40676 | PSYCHZ_-_Psychz_Networks | UnitedStates |
ufukjinofertil.com | 31.210.56.31 | pls4.webevi.com. | 42910 | SADECEHOSTING-COM_Hosting_Internet_Hizmetleri_Ltd_Sti | Turkey |
abahayam.com | 124.150.140.85 | NONE | 45945 | WEBSERVER-MY_Acme_Commerce_Sdb_Bhd_Malayia_Network | Malaysia |
newheightsdr.com | 66.147.244.74 | box774.bluehost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
drupal.ne-ws.it | 195.88.6.232 | linweb01.ne-ws.it. | 48815 | CRITICALCASE_CriticalCase_srl | Italy |
Domain: mediapoolstarnberg.de Nserver: ns1.knallhart.de Nserver: ns2.knallhart.de Nserver: ns3.knallhart.de Status: connect Changed: 2010-06-21T13:10:15+02:00 CountryCode: DE 213.160.86.91 inetnum: 213.160.86.0 - 213.160.87.255 netname: KNALLHART1 descr: Knallhart Marketing GmbH descr: Voltastrasse 5 descr: 13355 Berlin country: DE
Domain Name: SPERIMITOS.COM Registrar: NAMESECURE.COM Whois Server: whois.namesecure.com Referral URL: http://www.namesecure.com Name Server: DNS1.NAMESECURE.COM Name Server: DNS2.NAMESECURE.COM Status: clientTransferProhibited Updated Date: 16-nov-2011 Creation Date: 16-nov-2011 Expiration Date: 16-nov-2012 74.207.249.36 NetRange: 74.207.224.0 - 74.207.255.255 CIDR: 74.207.224.0/19 OriginAS: NetName: LINODE-US NetHandle: NET-74-207-224-0-1 Parent: NET-74-0-0-0-0 NetType: Direct Allocation Comment: This block is used for static customer allocations. RegDate: 2009-01-14 Updated: 2010-07-27 Country: US
by jyake