cNotes 検索 一覧 カテゴリ

LinkdIn Reminder - minde.html

Published: 2012/07/11

観測日: 2012/7/7

通数: 200通/day

手法: 誘導URL型

目的: マルウェア感染

特徴:

サイトに設置されるスクリプトファイルのファイル名が「minde.html」


こんな文面。LinkedInが人気なようで。

文中の誘導リンクの例。

 http://covernow.ca//minde.html
 http://beckybenning.com/wp-content/uploads/fgallery/minde.html
 http://bretsky.neejean.org/minde.html
 http://calipatria.pl/minde.html
 http://cosplayclubnight.co.uk/minde.html
 http://newcrestonchurch.org/wp-content/uploads/fgallery/minde.html
 http://officeteam24.de/minde.html
 http://on-music.fr/WP/wp-content/uploads/fgallery/minde.html
 http://shashin.njmatsuya.com/lmwedding/wp-content/uploads/fgallery/minde.html
 http://1d2.net/minde.html
 http://aaronsadler.co.uk/minde.html
 http://antiaging.mywebstarterkits.com/minde.html
 http://apartment-anstel.de/wp-content/uploads/fgallery/minde.html
 http://blogs.digitalmedianet.com/brad/minde.html
 http://blog.websuace.com//minde.html
 http://bowriverangling.com/wp-content/uploads/fgallery/minde.html
 http://cherry-byte.com/wp-content/uploads/fgallery/minde.html
 http://churchmystyle.com/wp-content/uploads/fgallery/minde.html
 http://compassiongame.theunsignedsounds.com/minde.html
 http://donmartel.com/wordpress/wp-content/uploads/fgallery/minde.html
 http://holeshot.com.br/site/wp-content/uploads/fgallery/minde.html
 http://joyoffelting.ca/wp-content/uploads/fgallery/minde.html
 http://looklady.com/wp-content/uploads/fgallery/minde.html
 http://lovapeace.de/wp-content/uploads/fgallery/minde.html
 http://msfm.org/wp-content/uploads/fgallery/minde.html
 http://nativeamericanservicesoftn.org/wp-content/uploads/fgallery/minde.html
 http://patriot-online.com/wp-content/uploads/fgallery/minde.html
 http://playfield-media.com/wp-content/uploads/fgallery/minde.html
 http://raccoon-city.fr/wp-content/uploads/fgallery/minde.html
 http://royceirrigation.360ibiz.co.uk/minde.html
 http://spinkanimation.com/Index_empty/wp-content/uploads/fgallery/minde.html
 http://straysfilm.co.uk/wp-content/uploads/fgallery/minde.html
 http://tadels.alfahosting.org/wordpressSusanne/wp-content/uploads/fgallery/minde.html
 http://tertuliaalternativa.com/minde.html
 http://test.theunsignedsounds.com/minde.html
 http://tomcartermortgage.com/wp-content/uploads/fgallery/minde.html
 http://wubco.net//minde.html
 http://xiagame.theunsignedsounds.com/minde.html
 http://zgredaktor.pl/minde.html

あいかわらず改竄被害をうけているサイトがリダイレクタとして利用されていて

設置されるファイルが

 minde.html

というのが今回の特徴。


誘導リンクに利用されているサイトの場所。

USのホスティングサービスが多いですかね。

domainIP逆引きASAS NameCountry
donmartel.com216.177.139.128web22.websitesource.net.4250ALENT-ASN-1_-_Alentus_CorporationUnitedStates
blogs.digitalmedianet.com209.112.246.103lwdc.ar06.fa1-22.host6.23641.americanis.net.6130AIS-WEST_-_American_Internet_Services_LLC.UnitedStates
joyoffelting.ca64.141.2.137h137-2-141-64.wedohosting.com.6327SHAW_-_Shaw_Communications_Inc.Canada
apartment-anstel.de217.160.135.96hgesser.com.8560ONEANDONE-AS_1&1_Internet_AGGermany
bretsky.neejean.org74.208.128.119perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
looklady.com82.165.68.213siyasiza.com.8560ONEANDONE-AS_1&1_Internet_AGGermany
officeteam24.de87.106.19.68s15390649.onlinehome-server.info.8560ONEANDONE-AS_1&1_Internet_AGGermany
on-music.fr82.165.112.2kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
wubco.net69.73.145.49marketing.graffinet.com.11042LANDIS-HOLDINGS-INC_-_Landis_Holdings_IncUnitedStates
newcrestonchurch.org66.135.38.78silas.a1webserver.com.13768PEER1_-_Peer_1_Network_Inc.UnitedStates
blog.websuace.com108.59.252.48vps-1063379-4838.manage.myhosting.com.14242LOGICALSOLUTIONS_-_LogicalSolutions.netUnitedStates
shashin.njmatsuya.com67.210.98.240mania.lunarmania.com.15244ADDD2NET-COM-INC-DBA-LUNARPAGES_-_Lunar_PagesUnitedStates
zgredaktor.pl77.55.119.17aep17.rev.netart.pl.15967NETART_NetArt_Spolka_Akcyjna_Spolka_Komandytowo-AkcyjnaPoland
tadels.alfahosting.org109.237.140.12alfa3048.alfahosting-server.de.16097HLKOMM_HL_komm_Telekommunikations_GmbHGermany
aaronsadler.co.uk94.23.253.79zeus.terrabithost.co.uk.16276OVH_OVH_SystemsFrance
raccoon-city.fr213.186.33.19cluster010.ovh.net.16276OVH_OVH_SystemsFrance
playfield-media.com178.77.80.94vwp6132.webpack.hosteurope.de.20773HOSTEUROPE-AS_Host_Europe_GmbHGermany
1d2.net66.185.29.69fr-dc1-A-5-Dist09B-Mod5-4.cyberlynk.net.21554CYBERLYNK_-_Wisconsin_CyberLynk_Network_Inc.UnitedStates
calipatria.pl205.196.20.120belair.icertified.net.22384NATIONALNET-1_-_NationalNet_Inc.UnitedStates
straysfilm.co.uk89.200.141.76stemcaa3.miniserver.com.24931DEDIPOWER_DediPower_Managed_Hosting_LimitedUnitedKingdom
msfm.org69.174.114.214ecbiz65.inmotionhosting.com.25973GTT_Global_Telecom_&_Technology_ASNUnitedStates
covernow.ca173.236.243.124apache2-jiffy.shock.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
spinkanimation.com69.163.220.224apache2-sith.rome.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
churchmystyle.com184.168.137.1p3nlhg190c1190.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLCUnitedStates
nativeamericanservicesoftn.org184.168.139.1p3nlhg182c1182.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLCUnitedStates
holeshot.com.br187.45.195.183hm4730.locaweb.com.br.27715LocaWeb_LtdaBrazil
lovapeace.de85.197.120.16c3.confixx.webjanssen.de.29471WEBJANSSEN-DE_WebJanssen_ISP_ltd_&_Co_KGGermany
compassiongame.theunsignedsounds.com66.96.147.117117.147.96.66.static.eigbox.net.29873BIZLAND-SD_-_The_Endurance_International_Group_Inc.UnitedStates
tertuliaalternativa.com66.96.147.108108.147.96.66.static.eigbox.net.29873BIZLAND-SD_-_The_Endurance_International_Group_Inc.UnitedStates
test.theunsignedsounds.com66.96.147.117117.147.96.66.static.eigbox.net.29873BIZLAND-SD_-_The_Endurance_International_Group_Inc.UnitedStates
xiagame.theunsignedsounds.com66.96.147.117117.147.96.66.static.eigbox.net.29873BIZLAND-SD_-_The_Endurance_International_Group_Inc.UnitedStates
royceirrigation.360ibiz.co.uk82.113.142.144krait.lemonbiscuit.co.uk.30827XTRAORDINARY-AS_Xtraordinary_Networks_Ltd.UnitedKingdom
cosplayclubnight.co.uk79.170.44.77web77.extendcp.co.uk.31727NODE4-AS_Node4_Ltd_UKUnitedKingdom
patriot-online.com198.31.50.6host47.my-ehost.com.33724BIZNESSHOSTING_-_VOLICOUnitedStates
antiaging.mywebstarterkits.com50.22.11.13capslock.accountservergroup.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
beckybenning.com74.220.215.216host216.hostmonster.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
bowriverangling.com66.147.244.230box730.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
cherry-byte.com173.254.28.138just138.justhost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
tomcartermortgage.com74.220.207.138host138.hostmonster.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates

攻撃自体はいつもと同じでjavaやpdf系で感染後情報を抜く系。

攻撃の本体サイトはここでしたがすでにAレコードがありませんでした。

 Domain Name: SPECIALLYREGARDING.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS1.ECOCABMEDIA.NET
   Name Server: NS2.ECOCABMEDIA.NET
   Status: clientTransferProhibited
   Updated Date: 05-jul-2012
   Creation Date: 28-jun-2012
   Expiration Date: 28-jun-2013

[カテゴリ:spam観察日記]

by jyake