Canadian farmacy homeへのリダイレクト - follow.html
Published: 2012/07/16
観測日: 2012/7/13
通数: 100通/day
手法: 誘導URL型
目的: 広告誘導
特徴:
サイトに設置されるスクリプトファイルのファイル名が「follow.html」
文面。文章はないですが、サブジェクトがそのまま薬屋さんです。
誘導URLはこのような感じで、最近の流行っぽいもの。
特徴は「follow.html」というファイル名。
URL |
---|
http://elnagh.com.pl/follow.html |
http://intranet.rbb-dortmund.de/~diederich/follow.html |
http://k66.ru/~antway2006@k66.ru/follow.html |
http://karatedo48.ru/follow.html |
http://apokalipso.com/follow.html |
http://txwifi.com/~1touch/follow.html |
http://1124design.com/follow.html |
http://169.207.67.16/~cc6106/follow.html |
http://64.119.178.220/~cadgis/follow.html |
http://93.125.30.55/~addvert/follow.html |
http://angelfire.com/~callavsg/follow.html |
http://arr.sos-fl.com/follow.html |
http://barmasters.de/follow.html |
http://bobsboneyard.com/follow.html |
http://btf.jino.ru/follow.html |
http://d2009883.instant.xoom.it/follow.html |
http://denali.websitewelcome.com/~q6470ato/follow.html |
http://dishahr.com/follow.html |
http://doctorbosom.bos.ru/follow.html |
http://edu.bdcom.com/follow.html |
http://fam-weimer.de/follow.html |
http://ftp2.localtime.com.tr/follow.html |
http://garanttm.ru/follow.html |
http://gjgg.de/follow.html |
http://gvo23699.gvodatacenter.com/~comhelp/follow.html |
http://hosting104.perpetualprogress.com/~demo/follow.html |
http://leads4free.nl/follow.html |
http://lowassociates.co.uk/follow.html |
http://members.optusnet.com.au/~p.berrett/follow.html |
http://members.upc.nl/~j.hogchem1/follow.html |
http://perso.numericable.fr/~berthod-photos/follow.html |
http://sc5roman.ro/follow.html |
http://secdesign.nl/follow.html |
http://sirinu.co.uk/follow.html |
http://thurayya.de/follow.html |
http://visualprintpanama.com/~visualprint/follow.html |
http://www.ceramichesestesi.it/follow.html |
http://www.cpdse.com.ar/follow.html |
http://www.kolumbus.fi/~g609838/follow.html |
http://www.kolumbus.fi/~w409644/follow.html |
http://www.mila-volleyball.de/follow.html |
http://www.torbo-design.de/follow.html |
http://www.users.freenetname.co.uk/~davidwear/follow.html |
中身はこのようなスクリプトで、マルウェア感染で見られるものとは異なります。
このスクリプトにより、たとえばこのURLへ飛ばされます。
http://fastrxmeds.ru/secure.php?cmd=home
そこはいつもの薬屋さん。
リダイレクタが設置されているdomainについて調べてみるとこんな感じ。
domain | IP | 逆引き | AS | AS name | country |
---|---|---|---|---|---|
doctorbosom.bos.ru | 194.186.208.8 | as3.centre.ru. | 3216 | SOVAM-AS_OJSC__Vimpelcom_ | RussianFederation |
garanttm.ru | 194.186.2.30 | mail.barstrade.ru. | 3216 | SOVAM-AS_OJSC__Vimpelcom_ | RussianFederation |
intranet.rbb-dortmund.de | 87.139.221.128 | p578bdd80.dip0.t-ipconnect.de. | 3320 | DTAG_Deutsche_Telekom_AG | Germany |
www.kolumbus.fi | 193.229.9.132 | www.kolumbus.fi. | 3336 | ELISA-AS_Elisa_Oyj | Finland |
angelfire.com | 209.202.252.41 | www.angelfire.com. | 3561 | SAVVIS_-_Savvis | UnitedStates |
hosting104.perpetualprogress.com | 64.129.185.104 | hosting104.perpetualprogress.com. | 4323 | TWTC_-_tw_telecom_holdings_inc. | UnitedStates |
members.optusnet.com.au | 211.29.152.71 | members.optusnet.com.au. | 4804 | MPX-AS_Microplex_PTY_LTD | Australia |
arr.sos-fl.com | 63.250.48.128 | unix01.hsphere.cc. | 4906 | FDS-01_-_Frontline_Data_Services_Inc | UnitedStates |
barmasters.de | 81.169.145.162 | wa2.rzone.de. | 6724 | STRATO_STRATO_AG | Germany |
members.upc.nl | 80.109.240.71 | members.chello.nl. | 6830 | LGI-UPC_UPC_Broadband_Holding_B.V. | Austria |
www.users.freenetname.co.uk | 212.159.8.151 | www.users.freenetname.co.uk. | 6871 | PLUSNET_PlusNet_PLC | UnitedKingdom |
www.users.freenetname.co.uk | 212.159.9.151 | www.users.freenetname.co.uk. | 6871 | PLUSNET_PlusNet_PLC | UnitedKingdom |
btf.jino.ru | 81.177.139.35 | NONE | 8342 | RTCOMM-AS_OJSC_RTComm.RU | RussianFederation |
fam-weimer.de | 82.165.125.53 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
gjgg.de | 82.165.214.148 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
www.mila-volleyball.de | 82.165.108.93 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
www.torbo-design.de | 82.165.117.64 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
d2009883.instant.xoom.it | 212.48.16.85 | NONE | 8660 | MATRIX-AS_Matrix_S.p.A. | Italy |
elnagh.com.pl | 62.75.153.12 | s61.linuxpl.com. | 8972 | PLUSSERVER-AS_intergenia_AG | Poland |
sc5roman.ro | 86.35.15.211 | www1.beonline.ro. | 9050 | RTD_ROMTELECOM_S.A | Romania |
johtobirds.de | 83.125.75.200 | edna.bces.de. | 13237 | LAMBDANET-AS_Lambdanet_Communications_Deutschland_GmbH | Germany |
www.ceramichesestesi.it | 62.48.32.139 | NONE | 13284 | BRT-AS_Brain_Technology_S.p.A. | Italy |
lowassociates.co.uk | 213.171.218.115 | server213-171-218-115.livedns.org.uk. | 15418 | FASTHOSTS-INTERNET_Fasthosts_Internet_Ltd._Gloucester_UK. | UnitedKingdom |
sirinu.co.uk | 91.215.185.44 | ns44.supremeservers.co.uk. | 15510 | CWCS-PS_Compuweb_Communications_Services_Limited | UnitedKingdom |
leads4free.nl | 62.129.139.135 | ws14.hosting.nl. | 15535 | VIRTUALXS-AS_VirtualXS_Internet_BV_The_Netherlands | Netherlands |
secdesign.nl | 62.129.139.123 | ws04.hosting.nl. | 15535 | VIRTUALXS-AS_VirtualXS_Internet_BV_The_Netherlands | Netherlands |
thurayya.de | 89.31.143.116 | NONE | 15598 | IP-EXCHANGE_IP_Exchange_GmbH | Germany |
dishahr.com | 173.231.40.197 | 173-231-40-197.hosted.static.webnx.com. | 18450 | WEBNX_-_WebNX | UnitedStates |
denali.websitewelcome.com | 69.93.227.34 | denali.websitewelcome.com. | 21844 | THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc. | UnitedStates |
edu.bdcom.com | 210.4.73.254 | edu.bdcom.com. | 24122 | BDCOM-BD-AS-AP_BDCOM_Online_Limited | Bangladesh |
apokalipso.com | 176.9.32.71 | jelena.srv16.com. | 24940 | HETZNER-AS_Hetzner_Online_AG_RZ | Germany |
karatedo48.ru | 90.156.201.100 | fe.shared.masterhost.ru. | 25532 | MASTERHOST-AS_.masterhost_autonomous_system | RussianFederation |
karatedo48.ru | 90.156.201.15 | fe.shared.masterhost.ru. | 25532 | MASTERHOST-AS_.masterhost_autonomous_system | RussianFederation |
karatedo48.ru | 90.156.201.45 | fe.shared.masterhost.ru. | 25532 | MASTERHOST-AS_.masterhost_autonomous_system | RussianFederation |
karatedo48.ru | 90.156.201.82 | fe.shared.masterhost.ru. | 25532 | MASTERHOST-AS_.masterhost_autonomous_system | RussianFederation |
1124design.com | 173.201.169.1 | p3nlhg72c1008.shr.prod.phx3.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLC | UnitedStates |
www.cpdse.com.ar | 200.58.112.218 | kansas.dattaweb.com. | 27823 | Dattatec.com | Argentina |
visualprintpanama.com | 190.123.192.108 | NONE | 27990 | Hosting_Panama | Panama |
k66.ru | 87.224.128.21 | k66.ru. | 35154 | TELENET-AS_Autonomous_System_of_Teleset-Servis_Ltd. | RussianFederation |
txwifi.com | 66.160.208.67 | none.txwifi.com. | 36049 | TX-SKYBEAM_-_JAB_Wireless_INC. | UnitedStates |
gvo23699.gvodatacenter.com | 97.79.236.99 | gvo23699.gvodatacenter.com. | 46549 | GVO_-_Global_Virtual_Opportunities | UnitedStates |
bobsboneyard.com | 66.147.240.179 | host379.hostmonster.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
cresenity.com | 101.50.1.3 | steady1.lazeon.com. | 55688 | BEON-AS-ID_PT._Beon_Intermedia | Indonesia |
decorbis.pl | 109.234.111.23 | az0043.srv.az.pl. | 196763 | KEY-SYSTEMS-AS_Key-Systems_GmbH | Poland |
はやりの改竄のようにも見えますが若干傾向が違うのでサイト自体専用に準備されたものも含まれている可能性があります。
広告サイト本体はドメインはロシア、サイト自体は韓国にあります。
domain: FASTRXMEDS.RU nserver: ns1.netegg.ru. nserver: ns2.everserver.ru. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2012.07.11 paid-till: 2013.07.11 free-date: 2013.08.11 source: TCI 180.70.9.78 inetnum: 180.64.0.0 - 180.71.255.255 netname: broadNnet descr: Hanaro Telecom descr: Shindongah Bldg, 43, Taepyeongno2ga, Junggu, Seoul descr: **************************************** descr: Allocated to KRNIC Member. descr: If you would like to find assignment descr: information in detail please refer to descr: the KRNIC Whois Database at: descr: http://whois.nic.or.kr/english/index.htm descr: **************************************** country: KR
by jyake