cNotes 検索 一覧 カテゴリ

The Electronic Payments Association spam

Published: 2011/11/24

これもACH Payment系のバリエーションです。


このような文面

docファイルに見えますが、下記のようなサイトへのリンクです。

 http://vaatsalya.co.in/9ecdb1/index.html

index.htmlファイルの中身はこれ。

js.jsファイルの中身はこれ。

ajaxm.jsファイルの中身はこれ。

ダウンロードされるファイルの中身はこれ

攻撃に利用されるのはCVE-2010-1885のようです。

とりだされるリンクはこれ

 http://westarray.com/content/g43kb6j34kblq6jh34kb6j3kl4.jar 

g43kb6j34kblq6jh34kb6j3kl4.jar の正体はこれ。(4/43)

http://www.virustotal.com/file-scan/report.html?id=7f733e33db885978d83bb88baadd9b79c714f982009826ba7a2cce656ddab8d2-1322111620


メール文面で利用されるURLの例。

hostpath
01644a4.netsolhost.com/gbh4d6u/index.html
01644a4.netsolhost.com/oc78i9/index.html
01644a4.netsolhost.com/tok750x/index.html
01644a4.netsolhost.com/uq81jv/index.html
01833b7.netsolhost.com/e3cxwx/index.html
01ee56c.netsolhost.com/0mq1ilq/index.html
01ee56c.netsolhost.com/72g48d/index.html
01f5928.netsolhost.com/0m6slvp/index.html
01f5928.netsolhost.com/b1igabe/index.html
01f5928.netsolhost.com/gnrqqf/index.html
029a017.netsolhost.com/6pzw0f9/index.html
029a017.netsolhost.com/khubgqx/index.html
029a017.netsolhost.com/m2tpxa/index.html
029a017.netsolhost.com/whprsvs/index.html
02b8d82.netsolhost.com/be9q6zc/index.html
02b8d82.netsolhost.com/rycr38/index.html
02c20c8.netsolhost.com/47245dt/index.html
02c20c8.netsolhost.com/4pz6len/index.html
02c20c8.netsolhost.com/az9mr9/index.html
02c20c8.netsolhost.com/nil789/index.html
222.242.196.216.DED-DSL.fuse.net/bsju53/index.html
222.242.196.216.DED-DSL.fuse.net/okwnzi/index.html
222.242.196.216.DED-DSL.fuse.net/zuuvxq/index.html
60gp.ovh.net/~neonatcr/1vayp23/index.html
alexreineck.com/43xrbe/index.html
alexreineck.com/aylvx4p/index.html
alexreineck.com/s56ea9/index.html
autoforum-portal.de/6hfri9/index.html
autoforum-portal.de/ftkbai/index.html
autoforum-portal.de/w5uqph/index.html
bhaktiamerica.com/3teetv/index.html
bhaktiamerica.com/b34sptb/index.html
bhaktiamerica.com/nfd59hk/index.html
bhaktiamerica.com/zriretj/index.html
bipolarhomebusiness.com/9iet27/index.html
bipolarhomebusiness.com/q052ow/index.html
bipolarhomebusiness.com/vjsbtvd/index.html
cbe360.com/346x9ao/index.html
cbe360.com/6tslsp/index.html
cbe360.com/eguqsi/index.html
cbe360.com/y04qmq5/index.html
cobblawfirm.com/ike9t9/index.html
cpanel03.blueyellow.nl/~ocibvnl/uvmqz5/index.html
dehesadeituero.com/5sdla5w/index.html
dehesadeituero.com/mfpxssc/index.html
dehesadeituero.com/nwht4x/index.html
die-schokoseite.de/g4jyabz/index.html
die-schokoseite.de/kz5be9/index.html
die-schokoseite.de/py5y68/index.html
die-schokoseite.de/sxyfl1/index.html
earnfreemoneyonline.co.uk/1bjyhg1/index.html
earnfreemoneyonline.co.uk/6dkyh2q/index.html
elektroauto-news.net/v0syqd1/index.html
elektroauto-news.net/xvh9hq/index.html
entdeckeschweden.de/qw7lmy/index.html
entdeckeschweden.de/rqctvuz/index.html
fastreplyers.net/qwzmkq/index.html
fastreplyers.net/ztu08a/index.html
filetest2.nuzoka.com/eke5sl6/index.html
filetest2.nuzoka.com/gd375j/index.html
filetest2.nuzoka.com/zfdg0v/index.html
forexitalia.net/cr3ded/index.html
forexitalia.net/kk5bhd/index.html
forexitalia.net/ohgc02/index.html
hasanbaba-kebabhaus.de/8wvjvv/index.html
hasanbaba-kebabhaus.de/9j62cu/index.html
hasanbaba-kebabhaus.de/eu467cl/index.html
hasanbaba-kebabhaus.de/h85kkx4/index.html
hasanbaba-kebabhaus.de/l6q9h1/index.html
hasanbaba-kebabhaus.de/lwrt29v/index.html
hasanbaba-kebabhaus.de/rzo1ul/index.html
howtobeholy.1unlimited.net/9abwm1h/index.html
howtobeholy.1unlimited.net/9inq57/index.html
ingenious-jewellery.co.uk/elfg0ax/index.html
ingenious-jewellery.co.uk/lg0uwhh/index.html
joelnapril.com/5y8qz3/index.html
joelnapril.com/8qfu9zy/index.html
joelnapril.com/jwizmp/index.html
joelnapril.com/v878vj/index.html
livinginternational.es/7nyq83o/index.html
maxundsunny.de/0qupgr/index.html
maxundsunny.de/3n49s9w/index.html
maxundsunny.de/nvmaz2p/index.html
maxundsunny.de/q03844/index.html
maxundsunny.de/tf4zqg/index.html
mikkavanilla.com/0hf7hd/index.html
mikkavanilla.com/2ov6cp/index.html
mikkavanilla.com/eomqdp/index.html
mikkavanilla.com/hsuyty/index.html
mmwluise.unlimitedhost.tk/duccn2/index.html
mmwluise.unlimitedhost.tk/pycwwy/index.html
mmwluise.unlimitedhost.tk/xf4618i/index.html
mtsmifa.net.tc/fz1rdh/index.html
mtsmifa.net.tc/hca7al/index.html
naomifox.com/z3dwpk/index.html
netramfoundation.org/4318ip1/index.html
netramfoundation.org/48llx9/index.html
networkmarketingmalaysia.biz/sgpqthd/index.html
nexalt.com/rzgc7bf/index.html
nextribu.com/6phhb0/index.html
nihadragab.com/elif16/index.html
nihadragab.com/ozk761/index.html
nintendorevolutionfan.com/s6f2pfx/index.html
nla.com.gh/ad7g650/index.html
nla.com.gh/zxnaq2/index.html
nphs.co.in/3raovf/index.html
nphs.co.in/zyyc4es/index.html
nriassetprotection.com/pkke1jg/index.html
nrkinfotech.com/4en45zj/index.html
nrkinfotech.com/mphbmq/index.html
nrkinfotech.com/t9yy0c/index.html
nsoftsolution.com/gjmym60/index.html
nsoftsolution.com/sui6x6n/index.html
ntf.thealliswell.com/84unvd/index.html
ntf.thealliswell.com/e7lgyae/index.html
ntf.thealliswell.com/uuz46y/index.html
nutrihealthsystems.co.in/0bpxt5/index.html
nwod.nw.funpic.de/ct5ihe/index.html
nwod.nw.funpic.de/l7lykhp/index.html
nwod.nw.funpic.de/xsgzov/index.html
oaklandyellowcab.com/bk5cr9/index.html
oaklandyellowcab.com/mm9520y/index.html
oaklandyellowcab.com/wm8s0sl/index.html
obcseu.nl.siteprotect.net/51z4rlz/index.html
obcseu.nl.siteprotect.net/jvkqnj/index.html
obcseu.nl.siteprotect.net/pb29b2/index.html
obitech.de/jdjqdd0/index.html
obitech.de/m7w6x2/index.html
obitech.de/oykcqt/index.html
obitech.eu/5h9m9hm/index.html
obitech.eu/yewwn25/index.html
objectif-plongee.gp/ldt1dcj/index.html
objectif-plongee.gp/xs6ra5/index.html
oc.aawebsolutions.com/8i3qi3/index.html
oc.aawebsolutions.com/~ocaaweb/l7f961/index.html
ocalmauritius.com/sr43xl/index.html
ocalmauritius.com/w2xrjr/index.html
ocalmauritius.com/ynuyed/index.html
odnokassniki.zxq.net/9wc3bb/index.html
odnokassniki.zxq.net/pznr727/index.html
officialempirecloset.com/4u5gjgh/index.html
offsports.com/1g4gxv/index.html
offsports.com/taa7dq/index.html
photo-bollengier.com/5c09o6/index.html
photo-bollengier.com/duvynlw/index.html
photo-bollengier.com/gcjdjyb/index.html
pumaracing.co.uk/1ki6wg/index.html
pumaracing.co.uk/5z7zmzv/index.html
pumaracing.co.uk/cc81ddz/index.html
pumaracing.co.uk/nruae5e/index.html
purepleasure-music.de/~newstuff/jpy2l2o/index.html
purepleasure-music.de/~newstuff/sz4mck1/index.html
s344134048.onlinehome.us/av3vbn/index.html
s344134048.onlinehome.us/c7x6h2/index.html
s344134048.onlinehome.us/x0phqmg/index.html
staging.njblog.nl/rv7ime8/index.html
ubertyindia.com/b8npwq/index.html
ubertyindia.com/fjlha8/index.html
ubertyindia.com/jl1s6v/index.html
ucrania.dattaweb.com/~uc000724/kp3zawx/index.html
ucrania.dattaweb.com/~uc000724/uw233c/index.html
ucrania.dattaweb.com/~uc000724/wfh93l/index.html
uefacupsl.ue.ohost.de/5u8s5pu/index.html
uefacupsl.ue.ohost.de/r2zequ/index.html
yolohagopor.com/3g5qjij/index.html
yolohagopor.com/6blkjcr/index.html

各ドメインのAS情報をまとめるとこんな感じ。

hostIPnameASAS namecountry
01644a4.netsolhost.com206.188.193.214vux.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
01833b7.netsolhost.com206.188.192.1vux.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
01ee56c.netsolhost.com206.188.192.252vux.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
01f5928.netsolhost.com205.178.152.27w2k3-web27.prod.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
029a017.netsolhost.com206.188.192.178vux.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
02b8d82.netsolhost.com206.188.192.244vux.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
02c20c8.netsolhost.com205.178.152.48w2k3-web48.prod.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
222.242.196.216.DED-DSL.fuse.net216.196.242.222222.242.196.216.DED-DSL.fuse.net.6181FUSE-NET_-_Cincinnati_Bell_TelephoneUnitedStates
60gp.ovh.net213.186.33.19cluster010.ovh.net.16276OVH_OVH_SystemsFrance
alexreineck.com97.74.144.112p3nlh112.shr.prod.phx3.secureserver.net.26496PAH-INC_-_GoDaddy.com_Inc.UnitedStates
autoforum-portal.de87.106.158.100hosting.web.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
bhaktiamerica.com74.208.249.56perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
bipolarhomebusiness.com97.74.49.202ip-97-74-49-202.ip.secureserver.net.26496PAH-INC_-_GoDaddy.com_Inc.UnitedStates
cbe360.com74.86.127.24874.86.127.248-static.reverse.softlayer.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
cobblawfirm.com205.178.152.20w2k3-web20.prod.netsolhost.com.6245NETWORK-SOLUTIONS_-_InterNIC_Registration_ServicesUnitedStates
cpanel03.blueyellow.nl85.158.253.163cpanel03.blueyellow.nl.51949IT-ERNITY-AS_IT-Ernity_Internet_Services_BVNetherlands
dehesadeituero.com217.160.225.108clienteservidor.es.8560ONEANDONE-AS_1&1_Internet_AGSpain
die-schokoseite.de87.238.192.83sh2083.evanzo-server.de.24989IXEUROPE-DE-FRANKFURT-ASN_Equinix_Germany_(Previously_IX_Europe_Germany_AS)Germany
earnfreemoneyonline.co.uk87.106.156.204kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
elektroauto-news.net87.106.158.74hosting.web.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
entdeckeschweden.de87.238.192.92sh2092.evanzo-server.de.24989IXEUROPE-DE-FRANKFURT-ASN_Equinix_Germany_(Previously_IX_Europe_Germany_AS)Germany
fastreplyers.net82.165.84.80kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
filetest2.nuzoka.com31.170.163.17731-170-163-177.main-hosting.com.47583HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_UnitedStates
forexitalia.net81.31.145.15da31.joomlahost.it.47242COLTENGINE_COLT_Engine_S.r.l.Italy
hasanbaba-kebabhaus.de82.165.204.243kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
howtobeholy.1unlimited.net31.170.163.20431-170-163-204.main-hosting.com.47583HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_UnitedStates
ingenious-jewellery.co.uk82.165.116.210kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
joelnapril.com50.21.189.219perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
livinginternational.es217.160.232.247clienteservidor.es.8560ONEANDONE-AS_1&1_Internet_AGSpain
maxundsunny.de194.117.254.45ud05.udmedia.de.8495INTERNET_AG_INTERNET_AG_Global_NetworkGermany
mikkavanilla.com213.165.76.233kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
mmwluise.unlimitedhost.tk31.170.163.21731-170-163-217.main-hosting.com.47583HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_UnitedStates
mtsmifa.net.tcNULL31-170-163-217.main-hosting.com.NONEHOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_NONENONE
naomifox.com80.82.124.23NONE41357UK-34SP-AS_34SP.com_Ltd.UnitedKingdom
netramfoundation.org64.71.131.88falcon.hrn9.com.6939HURRICANE_-_Hurricane_Electric_Inc.UnitedStates
networkmarketingmalaysia.biz110.4.45.135poseidon.mschosting.com.46015EXABYTES-AS-AP_Exa_Bytes_Network_Sdn.Bhd.Malaysia
nexalt.com208.76.82.235chicago.tchmachines.com.25767WAVEFORM_-_Waveform_Technology_LLCUnitedStates
nextribu.com89.188.129.90net.89.188.129.ip.90.ss.televideocom.com.39887TELEVIDEOCOM-AS_TELEVIDEOCOM_SRLItaly
nihadragab.com174.121.79.98r4-dallas.webserversystems.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
nintendorevolutionfan.com194.28.84.41ct41.fastbighost.net.21219DATAGROUP_PRIVATE_JOINT_STOCK_COMPANY__DATAGROUP_Ukraine
nla.com.gh76.12.166.136nla.com.gh.20021LNH-INC_-_HostMySiteUnitedStates
nriassetprotection.com182.18.128.250mail.quick2host.org.18229CTRLS-AS-IN_CtrlS_Datacenters_Ltd.India
nrkinfotech.com173.193.200.240173.193.200.240-static.reverse.softlayer.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
nsoftsolution.com209.25.195.86altar12.supremepanel12.com.11388MAXIM_-_Peer_1_Dedicated_HostingUnitedStates
ntf.thealliswell.com74.220.207.190host190.hostmonster.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
nutrihealthsystems.co.in50.22.200.152mail.prelnx-u.securehostdns.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
nwod.nw.funpic.de213.202.225.75213.202.225.75.rdns.funpic.de.13301UNITEDCOLO-AS_UNITED_COLO_GmbHGermany
oaklandyellowcab.com118.139.186.1sg2nlhg268c1268.shr.prod.sin2.secureserver.net.26496PAH-INC_-_GoDaddy.com_Inc.Singapore
obcseu.nl.siteprotect.net84.40.53.32lsh103.ams.nl.siteprotect.com.24679SSERV-AS_Hostway_Deutschland_GmbHGermany
obitech.de81.169.142.214kaleidoskop-sky.info.6724STRATO_STRATO_AGGermany
obitech.eu81.169.142.214kaleidoskop-sky.info.6724STRATO_STRATO_AGGermany
objectif-plongee.gp213.186.33.19cluster010.ovh.net.16276OVH_OVH_SystemsFrance
oc.aawebsolutions.com206.51.237.182stewie.aawebsolutions.com.29802HVC-AS_-_HIVELOCITY_VENTURES_CORPUnitedStates
ocalmauritius.com204.93.174.143carrera11.mochahost.com.23352SERVERCENTRAL_-_Server_Central_NetworkUnitedStates
odnokassniki.zxq.net67.220.217.23567-220-217-235.hosted.static.webnx.com.18450WEBNX_-_WebNXUnitedStates
officialempirecloset.com208.109.78.34linhostjava31.prod.mesa1.secureserver.net.26496PAH-INC_-_GoDaddy.com_Inc.UnitedStates
offsports.com217.76.132.146llgf842.servidoresdns.net.20718AS_ARSYS-EURO-1_arsys.esSpain
photo-bollengier.com82.165.117.245kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
pumaracing.co.uk82.165.102.105kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
purepleasure-music.de85.25.36.135static-ip-85-25-36-135.inaddr.ip-pool.com.8972PLUSSERVER-AS_PlusServer_AG_GermanyGermany
s344134048.onlinehome.us74.208.131.56perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
staging.njblog.nl85.112.18.224host224.85-112-18.ixs.dedigate.com.23148TERREMARK_TerremarkNetherlands
ubertyindia.com209.25.195.86altar12.supremepanel12.com.11388MAXIM_-_Peer_1_Dedicated_HostingUnitedStates
ucrania.dattaweb.com200.58.119.71ucrania.dattaweb.com.27823Dattatec.comArgentina
uefacupsl.ue.ohost.de213.202.225.44213.202.225.44.rdns.funpic.de.13301UNITEDCOLO-AS_UNITED_COLO_GmbHGermany
yolohagopor.com50.61.255.149stats.reindeer.arvixe.com.25653FORTRESSITX_-_FortressITXUnitedStates

 Domain Name: FATONAVDIU.COM
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS27.DOMAINCONTROL.COM
   Name Server: NS28.DOMAINCONTROL.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 22-feb-2011
   Creation Date: 07-dec-2010
   Expiration Date: 07-dec-2011
 
 173.201.216.72
 
 NetRange:       173.201.0.0 - 173.201.255.255
 CIDR:           173.201.0.0/16
 OriginAS:       AS26496
 NetName:        GO-DADDY-SOFTWARE-INC
 NetHandle:      NET-173-201-0-0-1
 Parent:         NET-173-0-0-0-0
 NetType:        Direct Allocation
 Comment:        Please send abuse complaints to abuse@godaddy.com
 RegDate:        2009-09-18
 Updated:        2009-09-18
 dolinski.be
 
 Domain:      dolinski
 Status:      REGISTERED
 Registered:  Mon Jan  3 2011
 
  
 Agent Technical Contacts:
   Last Name:     Gandi admin1
   Company Name:  Gandi SAS
   Language:      en
   Country:       FR
 
 178.77.66.252
 
 inetnum:        178.77.64.0 - 178.77.71.255
 remarks:        INFRA-AW
 netname:        DE-HE-LVPS-CGN3-NET
 descr:          Host Europe GmbH
 descr:          hostmaster@hosteurope.de
 country:        DE
 clubtaurinogracurris.es
 
 213.194.159.55
 
 inetnum:        213.194.144.0 - 213.194.159.255
 netname:        ES-IBERCOM
 descr:          WWW Ibercom SL
 descr:          http://www.ibercom.com
 country:        ES
 www.wellingtonyogacentre.co.nz
 
 202.191.34.89
 
 inetnum:        202.191.32.0 - 202.191.39.255
 netname:        ISERVE
 descr:          iSERVE Limited
 descr:          PO Box 47-020
 descr:          Wellington
 descr:          New Zealand
 country:        NZ

[カテゴリ:spam観察日記]

by jyake