Tax Payment Failed - mail.htm
Published: 2012/06/18
観測日: 2012/6/15
通数: 200通/day
手法: 誘導URL型
目的: マルウェア感染,広告誘導
特徴:
サイトに設置されるスクリプトファイルのファイル名が「mail.htm」
時期にあわせて定期的に流行るTax Payment Failed系。
Fromが最近多いLinkedIn。
- CVE-2010-1885
- CVE-2012-0507
文面
URLはこんな感じ。
http://admissions.frenzet.net/mail.htm http://atimonan.org/mail.htm http://bdbm.fr/zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://chaisen.me/mail.htm http://dogreat.cn/mail.htm http://events.sdr.co.za/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://firstimagedemo.com/miami/admin/images/mail.htm http://hieutran.us/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://hypnosis.plrproducts-kabineti.com/mail.htm http://lenkasony.ru/mail.htm http://let-flo-in-australia.fr/mail.htm http://mainemates.com/mail.htm http://owhstudios.org/mail.htm http://pictures.iwantallama.info/mail.htm http://qualitycounter.com/fckeditor/editor/plugins/ajaxfilemanager/inc/mail.htm http://s2.zufall.nu/photo/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://takeofftrading.com/images/mail.htm http://vipsites.marketplace-kabineti.com/mail.htm http://wesotech.com/mail.htm http://www.basarkoleji.k12.tr/kadro/mail.htm http://www.charlotteforest.fr/book/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://www.clinicaodontec.com.br/mail.htm http://www.diningallegheny.com/js_scripts/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://www.eqmuse.com/mail.htm http://www.hoteleczechy.pl/02eed88a2333db92e80148ff459f86d5/mail.htm http://www.manushi.in/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://www.marikbreton.com/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm http://www.npftin.ru/mail.htm http://www.sudas.com.cn/mail.htm http://www.weissmueller-fotografie.de/RW/zen_v2/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
リダイレクトスクリプトファイルを設置されているサイトはこのような感じ。だいたいおなじ顔ぶれの国とAS?
domain | ip | 逆引き | AS | AS Name | Country |
---|---|---|---|---|---|
sunvistaproducts.com | 71.39.17.26 | NONE | 209 | ASN-QWEST_-_Qwest_Communications_Company_LLC | UnitedStates |
atimonan.org | 66.11.230.169 | 66-11-230-169.iinet.pdx.dotster.net. | 2044 | IINET-2044_-_Infinity_Internet_Inc. | UnitedStates |
infotogo.ro | 66.11.230.197 | 66-11-230-197.iinet.pdx.dotster.net. | 2044 | IINET-2044_-_Infinity_Internet_Inc. | UnitedStates |
owhstudios.org | 66.11.230.244 | 66-11-230-244.iinet.pdx.dotster.net. | 2044 | IINET-2044_-_Infinity_Internet_Inc. | UnitedStates |
chaisen.me | 106.187.39.214 | li382-214.members.linode.com. | 2516 | KDDI_KDDI_CORPORATION | Japan |
s2.zufall.nu | 81.226.68.214 | h214n1fls303o291.telia.com. | 3301 | TELIANET-SWEDEN_TeliaSonera_AB | Sweden |
raharjo.info | 64.22.86.218 | NONE | 3595 | GNAXNET-AS_-_Global_Net_Access_LLC | UnitedStates |
dogreat.cn | 218.83.160.69 | NONE | 4812 | CHINANET-SH-AP_China_Telecom_(Group) | China |
kvsspb.ru | 195.131.162.2 | terraon.ru. | 6690 | WEBPLUS-AS_Web_Plus_ZAO | RussianFederation |
www.gift-book.sp.ru | 195.131.162.2 | terraon.ru. | 6690 | WEBPLUS-AS_Web_Plus_ZAO | RussianFederation |
www.npftin.ru | 194.8.181.65 | vh2.sp.ru. | 6690 | WEBPLUS-AS_Web_Plus_ZAO | RussianFederation |
printhouse.inf.br | 189.11.152.7 | ns1.fasttelecom.com.br. | 8167 | TELESC_-_Telecomunicacoes_de_Santa_Catarina_SA | Brazil |
lenkasony.ru | 81.177.6.231 | NONE | 8342 | RTCOMM-AS_OJSC_RTComm.RU | RussianFederation |
emmanuel.rs | 212.200.56.19 | cpanel.zrlocal.net. | 8400 | TELEKOM-AS_TELEKOM_SRBIJA_a.d. | Serbia |
sonjamarinkovic.edu.rs | 212.200.56.19 | cpanel.zrlocal.net. | 8400 | TELEKOM-AS_TELEKOM_SRBIJA_a.d. | Serbia |
ourarmory.org | 74.208.33.67 | s123623075.onlinehome.us. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
www.pigeonnews.com | 74.208.156.177 | tkmfoundation.org. | 8560 | ONEANDONE-AS_1&1_Internet_AG | UnitedStates |
guitar.nyanta.jp | 59.106.19.22 | www592.sakura.ne.jp. | 9370 | SAKURA-B_SAKURA_Internet_Inc. | Japan |
health.n-clover.info | 219.94.128.161 | www921.sakura.ne.jp. | 9371 | SAKURA-C_SAKURA_Internet_Inc. | Japan |
onlineshop-moko.com | 210.224.185.72 | www2462.sakura.ne.jp. | 9371 | SAKURA-C_SAKURA_Internet_Inc. | Japan |
www.kiraken.co.jp | 219.94.192.110 | www1700.sakura.ne.jp. | 9371 | SAKURA-C_SAKURA_Internet_Inc. | Japan |
aymeric.pansu.net | 88.191.146.185 | dedibox.pansu.eu. | 12322 | PROXAD_Free_SAS | France |
takeofftrading.com | 23.21.185.208 | ec2-23-21-185-208.compute-1.amazonaws.com. | 14618 | AMAZON-AES_-_Amazon.com_Inc. | UnitedStates |
www.hoteleczechy.pl | 77.79.194.204 | 77.79.194.204.webexperience.pl. | 15694 | ATMAN_ATMAN_Autonomous_System | Poland |
admissions.frenzet.net | 178.79.187.234 | li356-234.members.linode.com. | 15830 | TELECITY-LON_TELECITYGROUP_INTERNATIONAL_LIMITED | UnitedKingdom |
www.aleco.co.rs | 217.26.70.81 | NONE | 15982 | VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37 | Serbia |
www.neimarkg.rs | 217.26.70.79 | NONE | 15982 | VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37 | Serbia |
www.nenad-negotin.in.rs | 217.26.70.81 | NONE | 15982 | VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37 | Serbia |
www.snd.org.rs | 217.26.70.83 | NONE | 15982 | VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37 | Serbia |
bdbm.fr | 213.186.33.87 | cluster014.ovh.net. | 16276 | OVH_OVH_Systems | France |
let-flo-in-australia.fr | 213.186.33.40 | cluster011.ovh.net. | 16276 | OVH_OVH_Systems | France |
www.charlotteforest.fr | 213.186.33.19 | cluster010.ovh.net. | 16276 | OVH_OVH_Systems | France |
www.madou.fr | 213.186.33.87 | cluster014.ovh.net. | 16276 | OVH_OVH_Systems | France |
www.portalminassaude.com.br | 201.20.23.18 | senacmg201.canalminassaude.com.br. | 16397 | Comdominio_SA | Brazil |
www.bjhbxn.com | 115.47.170.103 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
www.sudas.com.cn | 115.47.67.184 | NONE | 17964 | DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd. | China |
www.diningallegheny.com | 209.20.82.15 | 209-20-82-15.static.cloud-ips.com. | 19994 | RACKSPACE_-_Rackspace_Hosting | UnitedStates |
www.weissmueller-fotografie.de | 178.77.85.29 | vwp7338.webpack.hosteurope.de. | 20773 | HOSTEUROPE-AS_Host_Europe_GmbH | Germany |
ker.cal24.pl | 46.4.74.241 | pekin.cal.pl. | 24940 | HETZNER-AS_Hetzner_Online_AG_RZ | Germany |
blog.yourls.org | 69.163.185.30 | apache2-ugly.stampeders.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
events.sdr.co.za | 173.236.224.199 | apache2-cid.phoenix.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
goalsforgirls.org | 75.119.220.189 | apache2-cabo.wario.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
mainemates.com | 173.236.203.157 | apache2-rank.alfirk.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
pictures.iwantallama.info | 173.236.177.187 | apache2-grog.alkurud.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
salonownerresources.com | 67.205.60.20 | apache2-whippit.bullseye.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
wiki.gl-como.it | 69.163.200.4 | apache2-daisy.zagreb.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
www.eqmuse.com | 173.236.203.119 | apache2-ogle.alfirk.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
www.rango.me | 173.236.241.210 | apache2-olive.bluebombers.dreamhost.com. | 26347 | DREAMHOST-AS_-_New_Dream_Network_LLC | UnitedStates |
www.ed.cl | 200.6.117.132 | www.digitaria.cl. | 27659 | Ingeniería_e_Informática_Asociada_Ltda_(IIA_Ltda) | Chile |
www.paz.cl | 200.6.117.132 | pedigree.digitaria.cl. | 27659 | Ingeniería_e_Informática_Asociada_Ltda_(IIA_Ltda) | Chile |
www.bencekence.hu | 79.172.211.108 | dani.tarhely.eu. | 29278 | DENINET-HU-AS_Deninet_KFT | Hungary |
hypnosis.plrproducts-kabineti.com | 91.186.20.67 | dns2.supremecenter16.co.uk. | 29550 | SIMPLYTRANSIT_Simply_Transit_Ltd | UnitedKingdom |
vipsites.marketplace-kabineti.com | 91.186.20.67 | dns2.supremecenter16.co.uk. | 29550 | SIMPLYTRANSIT_Simply_Transit_Ltd | UnitedKingdom |
studio-piccolastella.pl | 82.96.94.2 | baldur.vel.pl. | 29686 | PROBENETWORKS-AS_Probe_Networks | Germany |
qualitycounter.com | 208.131.133.67 | 208.131.133.67.west-datacenter.net. | 29854 | WESTHOST_-_WestHost_Inc. | UnitedStates |
www.marykatherinezablocki.com | 108.59.11.84 | web28.webfaction.com. | 30633 | LEASEWEB-US_-_Leaseweb_USA_Inc. | UnitedKingdom |
www.marikbreton.com | 62.149.140.134 | webx124.aruba.it. | 31034 | ARUBA-ASN_Aruba_S.p.A._-_Network | Italy |
handsandheartsintl.org | 209.151.166.230 | windycitywebsites.com. | 31797 | GALAXYVISIONS_-_Galaxyvisions_Inc | UnitedStates |
wesotech.com | 50.6.129.33 | NONE | 32392 | OPENTRANSFER-ECOMMERCE_-_Ecommerce_Corporation | UnitedStates |
webmail.firstbaja.com | 65.60.55.184 | expressweb.us. | 32475 | SINGLEHOP-INC_-_SingleHop | UnitedStates |
www.deveducation.co.in | 72.55.164.113 | ip-72-55-164-113.static.privatedns.com. | 32613 | IWEB-AS_-_iWeb_Technologies_Inc. | Canada |
www.clinicaodontec.com.br | 108.179.193.202 | NONE | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
www.manushi.in | 184.172.58.108 | 184.172.58.108-static.reverse.softlayer.com. | 36351 | SOFTLAYER_-_SoftLayer_Technologies_Inc. | UnitedStates |
www.newcastle-upon-tyne.infolinia.org | 195.114.0.27 | infolinia.org. | 41079 | SUPERHOST-PL-AS_SuperHost.pl_sp._z_o.o. | Poland |
www.basarkoleji.k12.tr | 77.245.149.21 | host21.b6.nw.com.tr. | 43391 | NETDIREKT-TR_Netdirekt_A.S. | Turkey |
hieutran.us | 69.89.31.223 | box423.bluehost.com. | 46606 | BLUEHOST-AS-2_-_Bluehost_Inc. | UnitedStates |
firstimagedemo.com | 173.0.137.76 | NONE | 53628 | APYLI-AS_-_Apyl_Inc | UnitedStates |
そこから飛ばされる本体サイトの方はこのような感じ。
domain: SUMATRANAJUGE.RU nserver: ns1.sumatranajuge.ru. 62.213.64.161 nserver: ns2.sumatranajuge.ru. 62.76.189.62 nserver: ns3.sumatranajuge.ru. 85.214.204.32 nserver: ns4.sumatranajuge.ru. 50.57.88.200 nserver: ns5.sumatranajuge.ru. 41.66.137.155 nserver: ns6.sumatranajuge.ru. 50.57.43.49 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2012.06.05 paid-till: 2013.06.05 free-date: 2013.07.06 source: TCI
IP | 逆引き | AS | AS Name | Country |
---|---|---|---|---|
89.111.177.151 | fe102-1.hc.ru. | 41126 | CENTROHOST-AS_JSC_Centrohost | RussianFederation |
94.20.30.91 | NONE | 29049 | DELTA-TELECOM-AS_Delta_Telecom_LTD. | Azerbaijan |
173.224.209.130 | woodstock.unixbsd.info. | 40676 | PSYCHZ_-_Psychz_Networks | UnitedStates |
213.17.171.186 | 213-17-171-186.ip.netia.com.pl. | 12741 | INTERNETIA- AS_Netia_SA | Poland |
by jyake