LinkdIn Reminder - minde.html
Published: 2012/07/11
観測日: 2012/7/7
通数: 200通/day
手法: 誘導URL型
目的: マルウェア感染
特徴:
サイトに設置されるスクリプトファイルのファイル名が「minde.html」
こんな文面。LinkedInが人気なようで。
文中の誘導リンクの例。
http://covernow.ca//minde.html http://beckybenning.com/wp-content/uploads/fgallery/minde.html http://bretsky.neejean.org/minde.html http://calipatria.pl/minde.html http://cosplayclubnight.co.uk/minde.html http://newcrestonchurch.org/wp-content/uploads/fgallery/minde.html http://officeteam24.de/minde.html http://on-music.fr/WP/wp-content/uploads/fgallery/minde.html http://shashin.njmatsuya.com/lmwedding/wp-content/uploads/fgallery/minde.html http://1d2.net/minde.html http://aaronsadler.co.uk/minde.html http://antiaging.mywebstarterkits.com/minde.html http://apartment-anstel.de/wp-content/uploads/fgallery/minde.html http://blogs.digitalmedianet.com/brad/minde.html http://blog.websuace.com//minde.html http://bowriverangling.com/wp-content/uploads/fgallery/minde.html http://cherry-byte.com/wp-content/uploads/fgallery/minde.html http://churchmystyle.com/wp-content/uploads/fgallery/minde.html http://compassiongame.theunsignedsounds.com/minde.html http://donmartel.com/wordpress/wp-content/uploads/fgallery/minde.html http://holeshot.com.br/site/wp-content/uploads/fgallery/minde.html http://joyoffelting.ca/wp-content/uploads/fgallery/minde.html http://looklady.com/wp-content/uploads/fgallery/minde.html http://lovapeace.de/wp-content/uploads/fgallery/minde.html http://msfm.org/wp-content/uploads/fgallery/minde.html http://nativeamericanservicesoftn.org/wp-content/uploads/fgallery/minde.html http://patriot-online.com/wp-content/uploads/fgallery/minde.html http://playfield-media.com/wp-content/uploads/fgallery/minde.html http://raccoon-city.fr/wp-content/uploads/fgallery/minde.html http://royceirrigation.360ibiz.co.uk/minde.html http://spinkanimation.com/Index_empty/wp-content/uploads/fgallery/minde.html http://straysfilm.co.uk/wp-content/uploads/fgallery/minde.html http://tadels.alfahosting.org/wordpressSusanne/wp-content/uploads/fgallery/minde.html http://tertuliaalternativa.com/minde.html http://test.theunsignedsounds.com/minde.html http://tomcartermortgage.com/wp-content/uploads/fgallery/minde.html http://wubco.net//minde.html http://xiagame.theunsignedsounds.com/minde.html http://zgredaktor.pl/minde.html
あいかわらず改竄被害をうけているサイトがリダイレクタとして利用されていて
設置されるファイルが
minde.html
というのが今回の特徴。
誘導リンクに利用されているサイトの場所。
USのホスティングサービスが多いですかね。
domain | IP | 逆引き | AS | AS Name | Country |
---|---|---|---|---|---|
donmartel.com | 216.177.139.128 | web22.websitesource.net. | 4250 | ALENT-ASN-1_-_Alentus_Corporation | UnitedStates |
blogs.digitalmedianet.com | 209.112.246.103 | lwdc.ar06.fa1-22.host6.23641.americanis.net. | 6130 | AIS-WEST_-_American_Internet_Services_LLC. | UnitedStates |
joyoffelting.ca | 64.141.2.137 | h137-2-141-64.wedohosting.com. | 6327 | SHAW_-_Shaw_Communications_Inc. | Canada |
apartment-anstel.de | 217.160.135.96 | hgesser.com. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
bretsky.neejean.org | 74.208.128.119 | perfora.net. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
looklady.com | 82.165.68.213 | siyasiza.com. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
officeteam24.de | 87.106.19.68 | s15390649.onlinehome-server.info. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
on-music.fr | 82.165.112.2 | kundenserver.de. | 8560 | ONEANDONE-AS_1&1_Internet_AG | Germany |
wubco.net | 69.73.145.49 | marketing.graffinet.com. | 11042 | LANDIS-HOLDINGS-INC_-_Landis_Holdings_Inc | UnitedStates |
newcrestonchurch.org | 66.135.38.78 | silas.a1webserver.com. | 13768 | PEER1_-_Peer_1_Network_Inc. | UnitedStates |
blog.websuace.com | 108.59.252.48 | vps-1063379-4838.manage.myhosting.com. | 14242 | LOGICALSOLUTIONS_-_LogicalSolutions.net | UnitedStates |
shashin.njmatsuya.com | 67.210.98.240 | mania.lunarmania.com. | 15244 | ADDD2NET-COM-INC-DBA-LUNARPAGES_-_Lunar_Pages | UnitedStates |
zgredaktor.pl | 77.55.119.17 | aep17.rev.netart.pl. | 15967 | NETART_NetArt_Spolka_Akcyjna_Spolka_Komandytowo-Akcyjna | Poland |
tadels.alfahosting.org | 109.237.140.12 | alfa3048.alfahosting-server.de. | 16097 | HLKOMM_HL_komm_Telekommunikations_GmbH | Germany |
aaronsadler.co.uk | 94.23.253.79 | zeus.terrabithost.co.uk. | 16276 | OVH_OVH_Systems | France |
raccoon-city.fr | 213.186.33.19 | cluster010.ovh.net. | 16276 | OVH_OVH_Systems | France |
playfield-media.com | 178.77.80.94 | vwp6132.webpack.hosteurope.de. | 20773 | HOSTEUROPE-AS_Host_Europe_GmbH | Germany |
1d2.net | 66.185.29.69 | fr-dc1-A-5-Dist09B-Mod5-4.cyberlynk.net. | 21554 | CYBERLYNK_-_Wisconsin_CyberLynk_Network_Inc. | UnitedStates |
calipatria.pl | 205.196.20.120 | belair.icertified.net. | 22384 | NATIONALNET-1_-_NationalNet_Inc. | UnitedStates |
straysfilm.co.uk | 89.200.141.76 | stemcaa3.miniserver.com. | 24931 | DEDIPOWER_DediPower_Managed_Hosting_Limited | UnitedKingdom |
msfm.org | 69.174.114.214 | ecbiz65.inmotionhosting.com. | 25973 | GTT_Global_Telecom_&_Technology_ASN | UnitedStates |
covernow.ca | 173.236.243.124 | apache2-jiffy.shock.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
spinkanimation.com | 69.163.220.224 | apache2-sith.rome.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
churchmystyle.com | 184.168.137.1 | p3nlhg190c1190.shr.prod.phx3.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLC | UnitedStates |
nativeamericanservicesoftn.org | 184.168.139.1 | p3nlhg182c1182.shr.prod.phx3.secureserver.net. | 26496 | AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLC | UnitedStates |
holeshot.com.br | 187.45.195.183 | hm4730.locaweb.com.br. | 27715 | LocaWeb_Ltda | Brazil |
lovapeace.de | 85.197.120.16 | c3.confixx.webjanssen.de. | 29471 | WEBJANSSEN-DE_WebJanssen_ISP_ltd_&_Co_KG | Germany |
compassiongame.theunsignedsounds.com | 66.96.147.117 | 117.147.96.66.static.eigbox.net. | 29873 | BIZLAND-SD_-_The_Endurance_International_Group_Inc. | UnitedStates |
tertuliaalternativa.com | 66.96.147.108 | 108.147.96.66.static.eigbox.net. | 29873 | BIZLAND-SD_-_The_Endurance_International_Group_Inc. | UnitedStates |
test.theunsignedsounds.com | 66.96.147.117 | 117.147.96.66.static.eigbox.net. | 29873 | BIZLAND-SD_-_The_Endurance_International_Group_Inc. | UnitedStates |
xiagame.theunsignedsounds.com | 66.96.147.117 | 117.147.96.66.static.eigbox.net. | 29873 | BIZLAND-SD_-_The_Endurance_International_Group_Inc. | UnitedStates |
royceirrigation.360ibiz.co.uk | 82.113.142.144 | krait.lemonbiscuit.co.uk. | 30827 | XTRAORDINARY-AS_Xtraordinary_Networks_Ltd. | UnitedKingdom |
cosplayclubnight.co.uk | 79.170.44.77 | web77.extendcp.co.uk. | 31727 | NODE4-AS_Node4_Ltd_UK | UnitedKingdom |
patriot-online.com | 198.31.50.6 | host47.my-ehost.com. | 33724 | BIZNESSHOSTING_-_VOLICO | UnitedStates |
antiaging.mywebstarterkits.com | 50.22.11.13 | capslock.accountservergroup.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
beckybenning.com | 74.220.215.216 | host216.hostmonster.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
bowriverangling.com | 66.147.244.230 | box730.bluehost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
cherry-byte.com | 173.254.28.138 | just138.justhost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
tomcartermortgage.com | 74.220.207.138 | host138.hostmonster.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
攻撃自体はいつもと同じでjavaやpdf系で感染後情報を抜く系。
攻撃の本体サイトはここでしたがすでにAレコードがありませんでした。
Domain Name: SPECIALLYREGARDING.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.ECOCABMEDIA.NET Name Server: NS2.ECOCABMEDIA.NET Status: clientTransferProhibited Updated Date: 05-jul-2012 Creation Date: 28-jun-2012 Expiration Date: 28-jun-2013
by jyake