cNotes 検索 一覧 カテゴリ

intuit incを騙るスパム - prolintu.html

Published: 2012/07/19

観測日: 2012/7/17

通数: 100通/day

手法: 誘導URL型

目的: マルウェア感染

特徴:

サイトに設置されるスクリプトファイルのファイル名が「prolintu.html」

はやりのパターンですが、

intuit incネタは今年の春ごろ利用されていました。


文面。

サイトに設置されるスクリプトファイルのファイル名が「prolintu.html」。

URL
http://76lube.com.cn/prolintu.html
http://avena.vel.pl/prolintu.html
http://baltech.biz/prolintu.html
http://brueckenhaus-loehne.de/prolintu.html
http://cartuner.ro/prolintu.html
http://cd3d.com.cn/prolintu.html
http://cengwen.com.cn/prolintu.html
http://colegiosfxavier.com.br/prolintu.html
http://dentusa.com.cn/prolintu.html
http://detskydesign.cz/prolintu.html
http://dfxg.cn/prolintu.html
http://domeczek.org.pl/prolintu.html
http://drfund.com.cn/prolintu.html
http://drustvo-svs.si/prolintu.html
http://dtgmf.com/prolintu.html
http://ebele.jp/prolintu.html
http://elitexcn.com/prolintu.html
http://ermtrade.rs/prolintu.html
http://fotoiwa.pl/prolintu.html
http://gsmicrobox.com.ar/prolintu.html
http://hatchee.cn/prolintu.html
http://humanas.rs/prolintu.html
http://hzhuali.cn/prolintu.html
http://imayoh.com/prolintu.html
http://incolor.pl/prolintu.html
http://jeedtube.com/prolintu.html
http://jurohwer.de/prolintu.html

世界中のホスティングサービスが改竄されてますかね。

domainIP逆引きASAS NumberCountry
dentusa.com.cn58.215.64.147NONE4134CHINANET-BACKBONE_No.31Jin-rong_StreetChina
dfxg.cn61.139.126.244NONE4134CHINANET-BACKBONE_No.31Jin-rong_StreetChina
hatchee.cn218.5.79.45NONE4134CHINANET-BACKBONE_No.31Jin-rong_StreetChina
letao666.com118.123.7.207NONE4134CHINANET-BACKBONE_No.31Jin-rong_StreetChina
wzm1982.com.cn58.215.64.147NONE4134CHINANET-BACKBONE_No.31Jin-rong_StreetChina
jeedtube.com203.150.230.138host138.elife.co.th.4618INET-TH-AS_Internet_Thailand_Company_LimitedThailand
jysj.net.cn121.189.19.24NONE4766KIXS-AS-KR_Korea_TelecomKorea
cengwen.com.cn61.152.91.38NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
drfund.com.cn61.152.91.38NONE4812CHINANET-SH-AP_China_Telecom_(Group)China
cartuner.ro193.226.163.129NONE5606KQRO_GTS_Telecom_SRLRomania
korovabar.info195.131.162.2terraon.ru.6690WEBPLUS-AS_Web_Plus_ZAORussianFederation
verwertungszentrum24.de81.169.145.146w92.rzone.de.6724STRATO_STRATO_AGGermany
drustvo-svs.si195.246.12.26hosting-6.domovanje.com.6764PERFTECH-SLOVENIA-AS_Perftech_d.o.o.Slovenia
sunblade.com.br200.98.197.11whl0057.whservidor.com.7162Itanet_-_Itamarati_On-Line_Ltda.Brazil
gsmicrobox.com.ar190.228.29.81mx2981.godns.net.7303Telecom_Argentina_S.A.Argentina
smart61.in.kg212.42.102.209virtual-free.elcat.kg.8449AS8449-ELCAT_Join_Venture_Company__ElCat_Kyrgyzstan
maxbau-gmbh.de87.106.61.239tappisfahrschule.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
mvbl.fr87.106.168.233kundenserver.de.8560ONEANDONE-AS_1&1_Internet_AGGermany
ebele.jp112.78.125.159www2319.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
imayoh.com219.94.162.86www1276.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
momokuro.jp112.78.125.235www2395.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
opti.jp112.78.112.186www1846.sakura.ne.jp.9371SAKURA-C_SAKURA_Internet_Inc.Japan
thaivbd.org27.254.33.57NONE9891CSLOX-IDC-AS-AP_CS_LOXINFO_Public_Company_Limited.Thailand
krawatnapogrzeb.pl79.96.162.250v092198.home.net.pl.12824HOMEPL-AS_home.pl_sp._z_o.o.Poland
ermtrade.rs217.26.70.88NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
humanas.rs217.26.70.84NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
trgovinastokom.com217.26.70.78NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
windoora.com217.26.70.78NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
winners.co.rs217.26.70.83NONE15982VERAT-AS-1_Drustvo_za_telekomunikacije_Verat_d.o.o_Bulevar_Vojvode_Misica_37Serbia
domeczek.org.pl87.98.239.3cluster015.ovh.net.16276OVH_OVH_SystemsPoland
fotoiwa.pl87.98.239.19cluster010.ovh.net.16276OVH_OVH_SystemsPoland
tomek.galezowski.o12.pl87.98.233.140s17.prothost.com.16276OVH_OVH_SystemsPoland
76lube.com.cn113.10.149.50NONE17444NWT-AS-AP_AS_number_for_New_World_Telephone_Ltd.HongKong
polarbag.cn113.10.149.40NONE17444NWT-AS-AP_AS_number_for_New_World_Telephone_Ltd.HongKong
cd3d.com.cn115.47.203.172NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
landscapecompany.com.cn203.158.16.38NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
samoji.cn115.47.171.55NONE17964DXTNET_Beijing_Dian-Xin-Tong_Network_Technologies_Co._Ltd.China
rocs.ro188.214.21.2vg1.gazduire.ro.20616NETBRIDGE-AS_NetBridge_Services_SRLRomania
jurohwer.de80.237.133.13wp244.webpack.hosteurope.de.20773HOSTEUROPE-AS_Host_Europe_GmbHGermany
sabrinasexy.altervista.org78.46.107.6ns77.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
spschelmonie.pl88.198.47.220nil.cal.pl.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
zelotnoob.altervista.org178.63.8.150ns95.altervista.org.24940HETZNER-AS_Hetzner_Online_AG_RZGermany
detskydesign.cz81.31.47.235iris.fortion.net.24971MASTER-AS_Master_Internet_s.r.o_/_Czech_Republic_/_www.master.czCzechRepublic
brueckenhaus-loehne.de89.110.129.53eden3.netclusive.de.24989IXEUROPE-DE-FRANKFURT-ASN_Equinix_Germany_(Previously_IX_Europe_Germany_AS)Germany
px-webshop.px-webserver.de91.223.141.147NONE25504CRONON-AS_Vautron_Rechenzentrum_AGGermany
dtgmf.com97.74.215.196p3nw8sh137.shr.prod.phx3.secureserver.net.26496AS-26496-GO-DADDY-COM-LLC_-_GoDaddy.com_LLCUnitedStates
kvkli.cz93.99.138.150NONE29113SLOANE-AS_UPC_Ceska_Republica_s.r.o.CzechRepublic
v10074251m5425.vlnet.pl217.76.112.20web4.vline.pl.29553VLINE-AS_Virtual_LinePoland
avena.vel.pl82.96.94.2baldur.vel.pl.29686PROBENETWORKS-AS_Probe_NetworksGermany
incolor.pl82.96.94.80gemini.vel.pl.29686PROBENETWORKS-AS_Probe_NetworksGermany
lnx.ngserviceonline.com62.149.140.106webx96.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.151mxd6.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.154mxd7.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.157mxd8.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.160mxd1.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.163mxd2.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.166mxd3.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.72mxd4.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
mobilicannata.it62.149.128.74mxd5.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.151mxd6.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.154mxd7.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.157mxd8.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.160mxd1.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.163mxd2.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.166mxd3.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.72mxd4.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
zero16.com62.149.128.74mxd5.aruba.it.31034ARUBA-ASN_Aruba_S.p.A.Italy
baltech.biz80.93.62.2tango.z8.ru.35569PETERHOST-MOSCOW_Concorde_Ltd.RussianFederation
zghcyy.com203.124.13.211203124013211.hkserverdomain.com.38277CLINK-AS-AP_CommuniLink_Internet_Limited.HongKong
klub-modrosti.eu91.185.211.67b1.hitrost.net.41828TUSMOBIL_TUSMOBIL_networkSlovenia
smj.biznesport.info.pl77.88.139.133139-133.nitka.net.pl.49289NITKA-NET_ELPRO_-_Elektronika_Profesjonalna_Waldemar_NitkaPoland
colegiosfxavier.com.br177.84.130.2r4linuxserver06.com.br.262586Brazil

ここにリダイレクトされます。

 http://mailmergesfinger.org/main.php?page=bfc8be54a0120bca

いつもどおりです。


すでに対策済み?

 Domain ID:D166091193-LROR
 Domain Name:MAILMERGESFINGER.ORG
 Created On:16-Jul-2012 13:36:07 UTC
 Last Updated On:17-Jul-2012 09:35:10 UTC
 Expiration Date:16-Jul-2013 13:36:07 UTC
 Sponsoring Registrar:Click Registrar, Inc. d/b/a publicdomainregistry.com (R1935-LROR)
 Status:CLIENT DELETE PROHIBITED
 Status:CLIENT HOLD
 Status:CLIENT RENEW PROHIBITED
 Status:CLIENT TRANSFER PROHIBITED
 Status:CLIENT UPDATE PROHIBITED
 Status:TRANSFER PROHIBITED
 Status:ADDPERIOD
 Registrant ID:CR_23226623
 Registrant Name:Cad Lashmit
 Registrant Organization:N/A
 Registrant Street1:W Alpine Rd
 Registrant Street2:
 Registrant Street3:
 Registrant City:Austin
 Registrant State/Province:TX
 Registrant Postal Code:78704
 Registrant Country:US

[カテゴリ:spam観察日記]

by jyake