cNotes 検索 一覧 カテゴリ

Tax Payment Failed - mail.htm

Published: 2012/06/18

観測日: 2012/6/15

通数: 200通/day

手法: 誘導URL型

目的: マルウェア感染,広告誘導

特徴:

サイトに設置されるスクリプトファイルのファイル名が「mail.htm」

時期にあわせて定期的に流行るTax Payment Failed系。

Fromが最近多いLinkedIn。

  • CVE-2010-1885
  • CVE-2012-0507

文面

URLはこんな感じ。

 http://admissions.frenzet.net/mail.htm
 http://atimonan.org/mail.htm
 http://bdbm.fr/zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://chaisen.me/mail.htm
 http://dogreat.cn/mail.htm
 http://events.sdr.co.za/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://firstimagedemo.com/miami/admin/images/mail.htm
 http://hieutran.us/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://hypnosis.plrproducts-kabineti.com/mail.htm
 http://lenkasony.ru/mail.htm
 http://let-flo-in-australia.fr/mail.htm
 http://mainemates.com/mail.htm
 http://owhstudios.org/mail.htm
 http://pictures.iwantallama.info/mail.htm
 http://qualitycounter.com/fckeditor/editor/plugins/ajaxfilemanager/inc/mail.htm
 http://s2.zufall.nu/photo/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://takeofftrading.com/images/mail.htm
 http://vipsites.marketplace-kabineti.com/mail.htm
 http://wesotech.com/mail.htm
 http://www.basarkoleji.k12.tr/kadro/mail.htm
 http://www.charlotteforest.fr/book/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://www.clinicaodontec.com.br/mail.htm
 http://www.diningallegheny.com/js_scripts/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://www.eqmuse.com/mail.htm
 http://www.hoteleczechy.pl/02eed88a2333db92e80148ff459f86d5/mail.htm
 http://www.manushi.in/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://www.marikbreton.com/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
 http://www.npftin.ru/mail.htm
 http://www.sudas.com.cn/mail.htm
 http://www.weissmueller-fotografie.de/RW/zen_v2/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm

リダイレクトスクリプトファイルを設置されているサイトはこのような感じ。だいたいおなじ顔ぶれの国とAS?

domainip逆引きASAS NameCountry
sunvistaproducts.com71.39.17.26NONE209ASN-QWEST_-_Qwest_Communications_Company_LLCUnitedStates
atimonan.org66.11.230.16966-11-230-169.iinet.pdx.dotster.net.2044IINET-2044_-_Infinity_Internet_Inc.UnitedStates
infotogo.ro66.11.230.19766-11-230-197.iinet.pdx.dotster.net.2044IINET-2044_-_Infinity_Internet_Inc.UnitedStates
owhstudios.org66.11.230.24466-11-230-244.iinet.pdx.dotster.net.2044IINET-2044_-_Infinity_Internet_Inc.UnitedStates
chaisen.me106.187.39.214li382-214.members.linode.com.2516KDDI_KDDI_CORPORATIONJapan
s2.zufall.nu81.226.68.214h214n1fls303o291.telia.com.3301TELIANET-SWEDEN_TeliaSonera_ABSweden
raharjo.info64.22.86.218NONE3595GNAXNET-AS_-_Global_Net_Access_LLCUnitedStates
dogreat.cn218.83.160.69NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
kvsspb.ru195.131.162.2terraon.ru.6690WEBPLUS-AS_Web_Plus_ZAORussianFederation
www.gift-book.sp.ru195.131.162.2terraon.ru.6690WEBPLUS-AS_Web_Plus_ZAORussianFederation
www.npftin.ru194.8.181.65vh2.sp.ru.6690WEBPLUS-AS_Web_Plus_ZAORussianFederation
printhouse.inf.br189.11.152.7ns1.fasttelecom.com.br.8167TELESC_-_Telecomunicacoes_de_Santa_Catarina_SABrazil
lenkasony.ru81.177.6.231NONE8342RTCOMM-AS_OJSC_RTComm.RURussianFederation
emmanuel.rs212.200.56.19cpanel.zrlocal.net.8400TELEKOM-AS_TELEKOM_SRBIJA_a.d.Serbia
sonjamarinkovic.edu.rs212.200.56.19cpanel.zrlocal.net.8400TELEKOM-AS_TELEKOM_SRBIJA_a.d.Serbia
ourarmory.org74.208.33.67s123623075.onlinehome.us.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
www.pigeonnews.com74.208.156.177tkmfoundation.org.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
guitar.nyanta.jp59.106.19.22www592.sakura.ne.jp.9370SAKURA-B_SAKURA_Internet_Inc.Japan
health.n-clover.info219.94.128.161www921.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
onlineshop-moko.com210.224.185.72www2462.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
www.kiraken.co.jp219.94.192.110www1700.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
aymeric.pansu.net88.191.146.185dedibox.pansu.eu.12322PROXAD_Free_SASFrance
takeofftrading.com23.21.185.208ec2-23-21-185-208.compute-1.amazonaws.com.14618AMAZON-AES_-_Amazon.com_Inc.UnitedStates
www.hoteleczechy.pl77.79.194.20477.79.194.204.webexperience.pl.15694ATMAN_ATMAN_Autonomous_SystemPoland
admissions.frenzet.net178.79.187.234li356-234.members.linode.com.15830TELECITY-LON_TELECITYGROUP_INTERNATIONAL_LIMITEDUnitedKingdom
www.aleco.co.rs217.26.70.81NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
www.neimarkg.rs217.26.70.79NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
www.nenad-negotin.in.rs217.26.70.81NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
www.snd.org.rs217.26.70.83NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
bdbm.fr213.186.33.87cluster014.ovh.net.16276OVH_OVH_SystemsFrance
let-flo-in-australia.fr213.186.33.40cluster011.ovh.net.16276OVH_OVH_SystemsFrance
www.charlotteforest.fr213.186.33.19cluster010.ovh.net.16276OVH_OVH_SystemsFrance
www.madou.fr213.186.33.87cluster014.ovh.net.16276OVH_OVH_SystemsFrance
www.portalminassaude.com.br201.20.23.18senacmg201.canalminassaude.com.br.16397Comdominio_SABrazil
www.bjhbxn.com115.47.170.103NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
www.sudas.com.cn115.47.67.184NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
www.diningallegheny.com209.20.82.15209-20-82-15.static.cloud-ips.com.19994RACKSPACE_-_Rackspace_HostingUnitedStates
www.weissmueller-fotografie.de178.77.85.29vwp7338.webpack.hosteurope.de.20773HOSTEUROPE-AS_Host_Europe_GmbHGermany
ker.cal24.pl46.4.74.241pekin.cal.pl.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
blog.yourls.org69.163.185.30apache2-ugly.stampeders.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
events.sdr.co.za173.236.224.199apache2-cid.phoenix.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
goalsforgirls.org75.119.220.189apache2-cabo.wario.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
mainemates.com173.236.203.157apache2-rank.alfirk.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
pictures.iwantallama.info173.236.177.187apache2-grog.alkurud.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
salonownerresources.com67.205.60.20apache2-whippit.bullseye.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
wiki.gl-como.it69.163.200.4apache2-daisy.zagreb.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
www.eqmuse.com173.236.203.119apache2-ogle.alfirk.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
www.rango.me173.236.241.210apache2-olive.bluebombers.dreamhost.com.26347DREAMHOST-AS_-_New_Dream_Network_LLCUnitedStates
www.ed.cl200.6.117.132www.digitaria.cl.27659Ingeniería_e_Informática_Asociada_Ltda_(IIA_Ltda)Chile
www.paz.cl200.6.117.132pedigree.digitaria.cl.27659Ingeniería_e_Informática_Asociada_Ltda_(IIA_Ltda)Chile
www.bencekence.hu79.172.211.108dani.tarhely.eu.29278DENINET-HU-AS_Deninet_KFTHungary
hypnosis.plrproducts-kabineti.com91.186.20.67dns2.supremecenter16.co.uk.29550SIMPLYTRANSIT_Simply_Transit_LtdUnitedKingdom
vipsites.marketplace-kabineti.com91.186.20.67dns2.supremecenter16.co.uk.29550SIMPLYTRANSIT_Simply_Transit_LtdUnitedKingdom
studio-piccolastella.pl82.96.94.2baldur.vel.pl.29686PROBENETWORKS-AS_Probe_NetworksGermany
qualitycounter.com208.131.133.67208.131.133.67.west-datacenter.net.29854WESTHOST_-_WestHost_Inc.UnitedStates
www.marykatherinezablocki.com108.59.11.84web28.webfaction.com.30633LEASEWEB-US_-_Leaseweb_USA_Inc.UnitedKingdom
www.marikbreton.com62.149.140.134webx124.aruba.it.31034ARUBA-ASN_Aruba_S.p.A._-_NetworkItaly
handsandheartsintl.org209.151.166.230windycitywebsites.com.31797GALAXYVISIONS_-_Galaxyvisions_IncUnitedStates
wesotech.com50.6.129.33NONE32392OPENTRANSFER-ECOMMERCE_-_Ecommerce_CorporationUnitedStates
webmail.firstbaja.com65.60.55.184expressweb.us.32475SINGLEHOP-INC_-_SingleHopUnitedStates
www.deveducation.co.in72.55.164.113ip-72-55-164-113.static.privatedns.com.32613IWEB-AS_-_iWeb_Technologies_Inc.Canada
www.clinicaodontec.com.br108.179.193.202NONE36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
www.manushi.in184.172.58.108184.172.58.108-static.reverse.softlayer.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
www.newcastle-upon-tyne.infolinia.org195.114.0.27infolinia.org.41079SUPERHOST-PL-AS_SuperHost.pl_sp._z_o.o.Poland
www.basarkoleji.k12.tr77.245.149.21host21.b6.nw.com.tr.43391NETDIREKT-TR_Netdirekt_A.S.Turkey
hieutran.us69.89.31.223box423.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
firstimagedemo.com173.0.137.76NONE53628APYLI-AS_-_Apyl_IncUnitedStates

そこから飛ばされる本体サイトの方はこのような感じ。

 domain:        SUMATRANAJUGE.RU
 nserver:       ns1.sumatranajuge.ru. 62.213.64.161
 nserver:       ns2.sumatranajuge.ru. 62.76.189.62
 nserver:       ns3.sumatranajuge.ru. 85.214.204.32
 nserver:       ns4.sumatranajuge.ru. 50.57.88.200
 nserver:       ns5.sumatranajuge.ru. 41.66.137.155
 nserver:       ns6.sumatranajuge.ru. 50.57.43.49
 state:         REGISTERED, DELEGATED, UNVERIFIED
 person:        Private Person
 registrar:     NAUNET-REG-RIPN
 admin-contact: https://client.naunet.ru/c/whoiscontact
 created:       2012.06.05
 paid-till:     2013.06.05
 free-date:     2013.07.06
 source:        TCI
IP逆引きASAS NameCountry
89.111.177.151fe102-1.hc.ru.41126CENTROHOST-AS_JSC_CentrohostRussianFederation
94.20.30.91NONE29049DELTA-TELECOM-AS_Delta_Telecom_LTD.Azerbaijan
173.224.209.130woodstock.unixbsd.info.40676PSYCHZ_-_Psychz_NetworksUnitedStates
213.17.171.186213-17-171-186.ip.netia.com.pl.12741INTERNETIA- AS_Netia_SAPoland

[カテゴリ:spam観察日記]

by jyake