cNotes 検索 一覧 カテゴリ

BBB - compl.html

Published: 2012/02/22

観測日: 2012/2/21~

通数: 500通~/day

目的: javaの脆弱性を利用した攻撃等→アカウント情報を盗む、FakeAV等

特徴: URLにcompl.html

継続中の攻撃のバリエーションの一つ。ちょっとずつ変えてきます。

メール文中のリンクに使われているサイトは、アカウントを盗まれたサイト系だと思われます。次から次へとたくさんあります。

アンチウィルスの反応が鈍いので、マルウェア自体は改変なくそのまま?


こんな文面。

compl.htmlの中身。

ここから先はいつもどおり。


ダウンロードされるファイル。

 jav.jar

https://www.virustotal.com/file/c5e72243db3ac25e850dc035a367d34e652215805ec2287b5ff7863bdc5196c5/analysis/1329884876/

(5/43) CVE-2011-3544

 obe.jar

https://www.virustotal.com/file/55a6b95df8a618b96b2f5d722b14b1c3bf9a9851eda898e11c6118c0271af491/analysis/1329884963/

(13/43) CVE-2010-0840


メール文面中のリンクに利用されているサイト。アカウントを盗まれたサイトでしょう。

domainip逆引きASAS NameCountry
lege.com.tw122.117.4.205122-117-4-205.HINET-IP.hinet.net.3462HINET_Data_Communication_Business_GroupTaiwan
magazinfengshui.ro89.42.219.102vps086.whmpanels.com.5606KQRO_GTS_Telecom_SRLRomania
ninetynine.be176.28.21.199lvps176-28-21-199.dedicated.hosteurope.de.20773HOSTEUROPE-AS_Host_Europe_GmbHGermany
askerimalzemeleri.com127.0.0.1localhost.NONEHOSTEUROPE-AS_Host_Europe_GmbHAddressnot
grupolafuente.com.mx72.32.187.62mail.estrasol.com.mx.33070RMH-14_-_Rackspace_HostingUnitedStates
pupilion.pl89.161.236.160v047912.home.net.pl.12824HOMEPL-AS_home.pl_autonomous_systemPoland
crisalide.com193.201.171.7atargatis.agmasys.com.3313INET-AS_BT_Italia_S.p.A.Italy
jainarayan.in75.126.196.19975.126.196.199-static.reverse.softlayer.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
messages.altervista.org78.46.89.66ns106.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
woodworkx.co.za41.86.104.25041-86-104-250-hosted.hadar.za-dns.com.10474MWEB-10474SouthAfrica
lmlr.fr193.33.169.138web24.synten.com.35344SYNTEN-AS_SYNTEN_SARLFrance
quady-matrix.freehostia.com66.40.52.187NONE11388MAXIM_-_Peer_1_Dedicated_HostingUnitedStates
shop-anzeiger.de195.225.236.162jmnetcreation.viennaweb.at.31239VIENNAWEB-AS_Internet_Viennaweb_Service_GmbHAustria
shop.irancg.com174.36.84.92ns1.persianservices.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
hermestools.eu217.97.216.17www.internetdsl.pl.5617TPNET_Telekomunikacja_Polska_S.A.Poland
neu.rautemusik-shop.de80.67.28.165tarazet.ispgateway.de.34011DOMAINFACTORY_domainfactory_GmbHGermany
richportfordlincoln.com207.96.225.40virtuals.auto123.com.5769VIDEOTRON_-_Videotron_Telecom_LteeCanada
shop.aselectro.ro188.240.2.8585-2-static.mxserver.ro.35818WEBFACTOR-AS_Webfactor_SRLRomania
wear.illusion-pictures.cz88.86.107.79mysak.core.mujhost.net.39392SUPERNETWORK-AS_SuperNetwork_s.r.o.CzechRepublic
dime.org65.182.101.125yuma2.brinkster.com.33055BCC-65-182-96-0-PHX_-_Brinkster_Communications_CorporationUnitedStates
proagris.pl95.211.54.140da21.domeny.com.16265LEASEWEB_LeaseWeb_B.V.Netherlands
searchcolleges.info184.168.53.1p3nlhg244c1244.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
shop.latoi.com68.178.235.107ip-68-178-235-107.ip.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
cadys.nexenservices.com217.174.203.4pauillac.nexen.net.16128AGARIK-BULLPI-NETWORK_AGARIK_and_BULLPI_provide_WEB_Servers_Hosting_and_dedicated_Internet_ConnectionFrance
shanebradley.com.au198.104.61.25shanebradley.com.au.2914NTT-COMMUNICATIONS-2914_-_NTT_America_Inc.UnitedStates
fendleyflowers.com209.87.224.150colo-a1flowers.storm.ca.13319S-I-S_-_Storm_Internet_ServicesCanada
glycopyc.com41.86.104.183hosted.gamma.za-dns.com.10474MWEB-10474SouthAfrica
studijko.eu95.168.205.158rio03.vas-server.cz.39392SUPERNETWORK-AS_SuperNetwork_s.r.o.CzechRepublic
avtotrgovina.com91.185.211.69avtotrgovina.com.41828TUSMOBIL_TUSMOBIL_networkSlovenia
blog.livetattva.com190.98.219.12power52.powerhost.cl.14259Gtd_Internet_S.A.Chile
caramba38.ru149.154.67.58firstvds.ru.29182ISPSYSTEM-AS_ISPsystem_Autonomous_SystemRussianFederation
jmgsystemas.com127.0.0.1localhost.NONEISPSYSTEM-AS_ISPsystem_Autonomous_SystemAddressnot
sophiamichelen.com184.168.53.1p3nlhg244c1244.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
zaira.ts9.ru91.223.216.66NONE46636NATCOWEB_-_NatCoWeb_Corp.Ukraine
home.alarak.net209.190.61.19sv31.byethost31.org.10297ENET-2_-_eNET_Inc.UnitedKingdom
ibdi-edu.com.br187.45.207.85NONE27715LocaWeb_LtdaBrazil
shoptuning.altervista.org78.129.205.116ns75.altervista.org.20860IOMART-AS_IomartItaly
co-basics.nl217.18.75.165hosted.by.qweb.nl.20495WEDARE_We_Dare_BV_Autonomous_SystemNetherlands
inframob.com82.97.15.156156-receptnet.15-cust.tasfrance.com.8554ATSAT_TAS_FranceFrance
casamama.nl109.72.86.5nl05.pcextreme.nl.48635PCEXTREME_PCextreme_B.V.Netherlands
eprom.wroclaw.pl85.128.150.124akt124.rev.netart.pl.15967NETART_NetArt_Spolka_Akcyjna_Spolka_Komandytowo-AkcyjnaPoland
spicyshop.altervista.org78.46.36.176ns91.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
filateliaplebani.it193.41.235.41slc.servrent.net.16257REGDOM_Servizi_InternetItaly
ome.altervista.org78.46.36.176ns91.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
pccamelotshop.altervista.org178.63.47.209ns114.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
stigmawear.com198.107.28.71stigmawear.com.2914NTT-COMMUNICATIONS-2914_-_NTT_America_Inc.UnitedStates
in.somnia.us98.131.36.2rev.opentransfer.com.2.36.131.98.in-addr.arpa.32392OPENTRANSFER-ECOMMERCE_-_Ecommerce_CorporationUnitedStates
pcbuyit.de46.252.27.231j21655.servers.jiffybox.net.34011DOMAINFACTORY_domainfactory_GmbHGermany
bransales.com.br200.98.246.148cpweb0035.servidorwebfacil.com.7162Itanet_-_Itamarati_On-Line_Ltda.Brazil
condemnedtohell.com184.168.138.1p3nlhg186c1186.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
kriiac.altervista.org78.46.70.119ns112.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany

[カテゴリ:spam観察日記]

by jyake