cNotes 検索 一覧 カテゴリ

BBB - company.html

Published: 2012/02/18

観測日:2/17 1日だけ

通数:596


BBBネタは以前もありましたが、繰り返し利用されています。

Better Business Bureau - CVE2011-3544

基本は同じ手法ですが、攻撃の中身も含め、微妙に変化させてきてます。


このような文面

リンクはこんな感じで今回の特徴は「company.html」

 http://andletmedance.net/wp-includes/company.html

company.htmlの中身はこんな感じで

スクリプト部分はこんな感じに解読されるので

リンクをクリックすると、こんな画像の表示とともに

裏側では別サイトにアクセス。

 http://synergyledlighting.net/main.php?page=d3XXXXXXXXXXX

ファイルの中身はこう。

以下はいままでと同じ。


ダウンロードされファイル。

 jav.jar

https://www.virustotal.com/file/de4f1ca779f46d2af4fb7302a7e4b33f1df8d82985d2ac55e92b05dd7176a7f8/analysis/1329572523/

(0/43) 昨日は(1/43)だったが。。。

 obe.jar

https://www.virustotal.com/file/55a6b95df8a618b96b2f5d722b14b1c3bf9a9851eda898e11c6118c0271af491/analysis/1329572640/

(2/43) これも減ってる。

 w.php?f=61&e=6 

https://www.virustotal.com/file/1abdb8da43196e03c8c7cc02e79656f506606f71385bff9bf39e24f2d8e42123/analysis/1329572751/

(12/43)


文面のリンクに使われているドメイン。主にUS。

domainip逆引きASAS Name
dev.minuto30.com66.239.209.31server.minuto30.com.2828XO-AS15_-_XO_CommunicationsUnitedStates
dejuliusandcompany.com63.250.48.129unix02.hsphere.cc.4906FDS-01_-_Frontline_Data_Services_IncUnitedStates
andletmedance.net87.106.152.85kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
noticiasmexico.theandroidgeek.com74.208.248.119perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
sperske.com74.208.24.44perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
losugen.com116.0.23.219hyperion.instanthosting.com.au.9280CIA-AS_connect_infobahn_australia_(CIA)Australia
besttabletbuy.com122.155.16.84ns1-15516084.dragonhispeed.com.9931CAT-AP_The_Communication_Authoity_of_Thailand_CATThailand
billyhornsby.com216.104.172.39missiontips.com.10732TIERRANET_-_TierraNet_Inc.UnitedStates
cardonations.freehostia.com66.40.52.242NONE11388MAXIM_-_Peer_1_Dedicated_HostingUnitedStates
guard-dog-security.co.uk77.92.73.4NONE13213UK2NET-AS_UK-2_Ltd_Autonomous_SystemUnitedKingdom
nanaimofishingcharters.com69.90.137.67cpanel7.onlinemountain.com.13768PEER1_-_Peer_1_Network_Inc.Canada
casinos-mangas.com80.247.233.98jefaismesachats.nfrance.com.15826NFRANCE_NFRANCE_CONSEILFrance
chrisball45.com67.18.3.50savannah.websitewelcome.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
cuddleupblankets.com74.53.108.34pulsar.websitewelcome.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
kitchencurtain-s.us174.133.72.194host3.asianbrainserver.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
vhfb.org174.120.169.221dd.a9.78ae.static.theplanet.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
weeklytopnews.info174.132.151.11472.97.84ae.static.theplanet.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
aussiesmokers.com173.236.150.230apache2-daisy.algenib.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
christinabernales.com69.163.159.54apache2-prance.wasp.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
copyaccess.com173.236.169.216apache2-quack.mamoudzou.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
cornerstoneword.org173.236.169.76apache2-zoo.mamoudzou.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
funtimems.com173.236.169.216apache2-quack.mamoudzou.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
i.diskovered.com173.236.201.72apache2-jolly.aldhanab.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
juleimages.com69.163.128.84apache2-zoo.constantine.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
localglobalnetwork.org69.163.150.132apache2-ichiban.bujumbura.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
mmoenquirer.com173.236.233.189apache2-sith.menchib.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
plumbcrazykansas.com173.236.145.161ps29273.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
rosangelaimoveis.com67.205.31.82apache2-ugly.bugsy.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
vertent.net173.236.129.150apache2-quack.jayturser.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
votaguz.com67.205.52.83apache2-pat.silversurfer.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
zazagroup.com69.163.150.90apache2-jiffy.bujumbura.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
zendz.com67.205.28.59apache2-jolly.bugsy.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
maryjanesocialmedia.com184.168.173.1p3nlhg232c1232.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
spokanehousepainting.com97.74.46.128p3nlhg100c1100.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
tisti.ca208.109.254.214ip-208-109-254-214.ip.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
holr.net206.130.119.252artofdomaining.com.29854WESTHOST_-_WestHost_Inc.UnitedStates
stagandpheasant.co.uk85.13.221.34slc0019.pickaweb.co.uk.31708COREIX-UK-AS_Coreix_LimitedUnitedKingdom
rajeu.com66.116.176.2NONE32392OPENTRANSFER-ECOMMERCE_-_Ecommerce_CorporationUnitedStates
lankagazette.com69.175.50.172gurukulla.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
stebbings-archive.net69.175.71.66cx01.supergreenhosting.com.32475SINGLEHOP-INC_-_SingleHopUnitedStates
latestnewstrends.net174.142.97.91server1.ebizpromo.com.32613IWEB-AS_-_iWeb_Technologies_Inc.Canada
extremewordpress.com119.18.57.42NONE33480WEBWERKSAS1_-_Web_WerksIndia
carvillvending.com188.65.115.2bajor.servers.rbl-mer.misp.co.uk.35732UKWEBHOSTING-AS_UK_Webhosting_Ltd_-_Autonomous_SystemUnitedKingdom
hermajestymontreal.com50.22.112.96ns2798.hostgator.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
news.prohyipdesign.com93.114.41.181rabbithost.ro.39743VOXILITY-AS_Voxility_SRLRomania
magnoliapair.com66.147.244.232box732.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
yorksmith.co.uk94.126.40.144webpool1.lcn.com.50056AI-NET_Advantage_Interactive_LimitedUnitedKingdom

攻撃サイトのドメインの例。攻撃直前に取得。

 Domain Name: SYNERGYLEDLIGHTING.NET
   Registrar: NETWORK SOLUTIONS, LLC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com/en_US/
   Name Server: NS1.GRAPECOMPUTERS.NET
   Name Server: NS1.HIRING-DECISIONS.COM
   Status: clientTransferProhibited
   Updated Date: 15-feb-2012
   Creation Date: 07-feb-2012
   Expiration Date: 07-feb-2013
 
 115.249.190.46
 
 inetnum:	115.249.0.0 - 115.249.255.255
 netname:	RCOM-Static-DIA
 country:	IN
 descr:		RCOM-Static-DIA
 admin-c:	AH406-AP
 tech-c:		AH406-AP
 status:		ASSIGNED NON-PORTABLE
 changed:        antiabuse.support@relianceada.com 20101022
 mnt-by:		MAINT-IN-SN
 source:		APNIC

インドですね。

[カテゴリ:spam観察日記]

by jyake