cNotes 検索 一覧 カテゴリ

intuit incからのオーダー確認を騙るスパム

Published: 2012/03/03

観測日: 2012/3/2

通数: 300通/day

手法: メール文中に誘導リンク

目的: 誘導先でマルウェアダウンロード

特徴: 誘導URLが「http://xxxxxxxx/wp-includes/int-market.html

これもjava、acrobat等の脆弱性を狙うタイプのバリエーションですが、わずかですが異なる点があります。

攻撃サイトは「.ru:8080」ではないです。


このような文面。

リンクは、このような形でhtmlファイルの中身はいつもと同じスクリプト。

 */wp-includes/int-market.html

アクセスしてからの流れはいつものパターンなので省略。


ダウンロードされるファイルは若干変わりました。

 viewer.jar

https://www.virustotal.com/file/d800905ea7998f322f210d35ef053d83ef6f0407d96e51f87d076b885b2c5e3e/analysis/1330752090/

(6/41)

 ap2.php?f=f7d19

https://www.virustotal.com/file/5da804ee7840fb1800027afa03ff8e6871b9a953ba75625060ae131c73eb5921/analysis/1330752627/

(8/43)


リンク先のドメイン。

domainip逆引きASAS Name
drivefitnessbootcamp.com66.104.201.121cpanel.tdmg.mx.thornedigital.com.2828XO-AS15_-_XO_CommunicationsUnitedStates
yvondurelle.com207.210.85.226nuclear.dnsprotect.com.3595GNAXNET-AS_-_Global_Net_Access_LLCUnitedStates
phatsonic.de82.165.76.52kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
pierreaugier.com82.165.117.229kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
test.theoryenterprises.com74.208.200.250perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
tigerdirectgadgets.com50.21.178.174perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
tigerdirectgps.com50.21.178.174perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
tigerdirectkeyboardsandmice.com50.21.178.174perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
tigerdirectlaptopaccessories.com50.21.178.174perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
tiltstudios.net216.250.114.105perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
traverseetours.com74.208.242.40perfora.net.8560ONEANDONE-AS_1&1_Internet_AGUnitedStates
tiretowheel.com209.190.7.6642.7.be.static.xlhost.com.10297ENET-2_-_eNET_Inc.UnitedStates
thompsonnorthwest.com184.170.145.135NONE11051CYBERVERSE_-_Cyberverse_Inc.UnitedStates
perevod.com.pl79.96.45.27v062257.home.net.pl.12824HOMEPL-AS_home.pl_autonomous_systemPoland
traducteur.com.pl79.96.45.27v062257.home.net.pl.12824HOMEPL-AS_home.pl_autonomous_systemPoland
traduzioni.com.pl79.96.45.27v062257.home.net.pl.12824HOMEPL-AS_home.pl_autonomous_systemPoland
tlh.up45.com205.161.30.55ip-205-161-30-55.nckcn.com.14174NCKCN_-_North_Central_Kansas_Community_Network_Co.UnitedStates
testing.astutetraveler.com174.129.37.255ec2-174-129-37-255.compute-1.amazonaws.com.14618AMAZON-AES_-_Amazon.com_Inc.UnitedStates
topsmartphones.de89.31.143.116NONE15598IP-EXCHANGE_IP_Exchange_GmbHGermany
tlumacz-francuski.eu85.232.237.26unused-85.232.237.26.greener.pl.15694ATMAN_ATMAN_Autonomous_SystemPoland
tlumaczenia-ukrainski.eu213.189.41.226host-213.189.41.226.greener.pl.15694ATMAN_ATMAN_Autonomous_SystemPoland
tlumaczenia-ukrainski.eu217.149.245.178host-217.149.245.178.greener.pl.15694ATMAN_ATMAN_Autonomous_SystemPoland
tophotelfrance.com188.165.209.105server1.hostamus.com.16276OVH_OVH_SystemsFrance
thisplanet.ru85.249.230.35NONE20597ELTEL-AS_ELTEL.NET_Autonomous_SystemRussianFederation
textureandtype.com78.129.163.32box2.pixeno.com.20860IOMART-AS_IomartUnitedKingdom
bmwheadquarters.com174.121.164.66jin.webserversystems.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
bmwheadquarters.com174.121.164.66jin.webserversystems.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
thedizzybaker.com174.122.37.98zemni.site5.com.21844THEPLANET-AS_-_ThePlanet.com_Internet_Services_Inc.UnitedStates
nsi-architects.com46.228.193.238phl098.http.ph.24961FIBREONE-AS_fibre_one_networks_GmbH_DuesseldorfGermany
alternateendingstudios.net184.168.234.1p3nlhg144c1144.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_Inc.UnitedStates
nationalcampaignforqualityeducation.org69.161.141.42host-69-161-141-42.in2net.com.26753IN2NET-NETWORK_In2Net_network_inc.Canada
emilyquerin.com64.29.151.221hostedc40.carrierzone.com.30447INFB2-AS_-_InternetNamesForBusiness.comUnitedStates
pinckneysummercamps.com209.236.123.205us5.dal.thewebhostserver.com.30496COLO4_-_Colo4_LLCUnitedStates
piapara.com216.70.71.205anguspoint.com.br.31815MEDIATEMPLE_-_Media_Temple_Inc.UnitedStates
spiratechperformancemarketing.com50.28.91.182host.wealthytouch.com.32244LIQUID-WEB-INC_-_Liquid_Web_Inc.UnitedStates
thegreenagebook.com50.28.33.81NONE32244LIQUID-WEB-INC_-_Liquid_Web_Inc.UnitedStates
topproteinpowders.org50.28.27.219NONE32244LIQUID-WEB-INC_-_Liquid_Web_Inc.UnitedStates
travislogie.com50.56.220.21850-56-220-218.static.cloud-ips.com.33070RMH-14_-_Rackspace_HostingUnitedStates
todaystoptrends.com67.23.166.102unknown.static.avl.netriplex.com.36167NETRIPLEX01_-_NETRIPLEX_LLCIndia
employment.rfidblocker.info173.192.206.4173.192.206.4-static.reverse.softlayer.com.36351SOFTLAYER_-_SoftLayer_Technologies_Inc.UnitedStates
thebestsearchengine.org173.233.69.208173-233-69-208.STATIC.turnkeyinternet.net.40244TURNKEY-INTERNET_-_Turnkey_Internet_Inc.UnitedStates
amettucuman.com.ar66.147.242.150box550.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
deadworry.com67.20.73.3767-20-73-37.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
increaseverticaljumptoday.com66.147.244.83box783.bluehost.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
nathansphere.com74.220.215.242host242.hostmonster.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
theweedreview.com74.220.215.65host265.hostmonster.com.46606BLUEHOST-AS-2_-_Bluehost_Inc.UnitedStates
thepepteam.com31.170.163.18331-170-163-183.main-hosting.com.47583HOSTING-MEDIA_Aurimas_Rapalis_trading_as__II_Hosting_Media_UnitedStates
terziphoto.com178.236.176.69yutex04.yutex.ru.48232RSERVERS-AS_RSERVERS_TECH_S.R.L.Netherlands
tlumacz-holenderski.eu212.91.6.51web1.47.pl.48707GREENER-AS_Greener_Marcin_WaligorskiPoland
tlumaczenia-chinski.eu212.91.6.51web1.47.pl.48707GREENER-AS_Greener_Marcin_WaligorskiPoland
tlumaczenia-ekspresowe.eu195.2.209.54web1.47.pl.48707GREENER-AS_Greener_Marcin_WaligorskiPoland
tlumaczenia-marketingowe.eu212.91.6.51web1.47.pl.48707GREENER-AS_Greener_Marcin_WaligorskiPoland
traductor.com.pl212.91.6.51web1.47.pl.48707GREENER-AS_Greener_Marcin_WaligorskiPoland
traffic-web.ru46.161.31.160shared.srv4.majorhost.net.52201TCTEL_LLC__TC_TEL_RussianFederation

今回はポーランドのホスティングが少し多めにまざってますね。

[カテゴリ:spam観察日記]

by jyake