cNotes 検索 一覧 カテゴリ

us.html

Published: 2012/04/11

観測日: 2012/4/9 ~

通数: 200通/day

手法: 文中のリンクをクリックさせることで、マルウェアダウンロードサイトへ誘導

目的: マルウェア感染

特徴:

のバリエーション。

誘導リンクが「us.html」

うん、一連の攻撃は二種類に分類されるんですね。


文面はいつもの。

誘導URLの例。

特徴は

 us.html
domainpath
http://artejorf.cl/us.html
http://asoch.cl/us.html
http://go2gamers.com/us.html
http://shop.brinybarsoap.com/us.html
http://cabattery-shop.com/us.html
http://khaoyainews.com/us.html
http://kharkovsky.ru/us.html
http://ngo82.com/us.html
http://cvkcha.com/us.html
http://bolsodecompra.com/us.html
http://carocuero.com/us.html
http://d.ocpc.pl/us.html
http://daintyhome.com.tr/us.html
http://mavidamla.com/us.html
http://myinterexchange.org/us.html
http://nhsdentistkensington.co.uk/us.html
http://ns2.ondawebserver.com.br/us.html
http://r-meb.com.pl/us.html
http://saleontents.com/us.html
http://servants-for-africa.com/us.html
http://xsidtec.com.br/us.html
http://waltereathos.com.br/us.html
http://advantagevideoproductions.com.au/us.html
http://aguape21.com.br/us.html
http://aid-homedecor.com/us.html
http://boobheadapparel.com/us.html
http://flustoppers.com/us.html
http://freezone.com.tw/us.html
http://intranet.lbdls.com/us.html
http://life.kendach.com/us.html
http://mycoachisjesus.com/us.html
http://nastix.ru/us.html
http://ocpc.pl/us.html
http://pabloaugusto.com/us.html
http://parkbenchproject.com/us.html
http://payetmuhendislik.com.tr/us.html
http://pudujk.com/us.html
http://pummelpress.net/us.html
http://sempaisports.com/us.html
http://vinjoyas.com.ar/us.html
http://pousadavaledoguama.com.br/us.html
http://afiphotos.com/us.html
http://domain.digitalk.cl/us.html
http://download.symbionis.at/us.html
http://dzialzabezpieczen.pl/us.html
http://enlacetelevision.com/us.html
http://folkmakt.nu/us.html
http://kultura-rossii.ru/us.html
http://m-mucha.eu/us.html
http://modifiedmotorsltd.com/us.html
http://okamegane.pinoyrocks.com/us.html
http://ordinaryone.com/us.html
http://sebasparigi.com.ar/us.html
http://stiegeler-shop.com/us.html
http://titanides.clementsmb.com/us.html
http://tonerok.kilu.de/us.html
http://waldemarak.pl/us.html
http://whois.astrohosts.co.uk/us.html
http://worldofappliance.co.uk/us.html
http://ysbes.ca/us.html

なるほど、一連の攻撃ですが、二種類あるみたいですね。

これは、ダウンロードされるファイルがこっちのパターン。

 http://bamboozlefitclub.net/data/ap2.php
 http://bamboozlefitclub.net/main.php?page=745b81e2608709b2
 ap2.php

https://www.virustotal.com/file/9c98deaf2f1600a5cdb17f73e075599e5a49b22689070c94162bcb6ba35ec68d/analysis/1334118093/

(14/42)

 main.php?page=745b81e2608709b2

https://www.virustotal.com/file/e35ba4f87ccd233104bc841f5ef70f72313813832d1e0c46a4b026c50a406124/analysis/1334118179/

(3/42)


   Domain Name: AFIPHOTOS.COM
   Registrar: NEW DREAM NETWORK, LLC
   Whois Server: whois.dreamhost.com
   Referral URL: http://www.dreamhost.com
   Name Server: NS1.DREAMHOST.COM
   Name Server: NS2.DREAMHOST.COM
   Name Server: NS3.DREAMHOST.COM
   Status: ok
   Updated Date: 09-aug-2011
   Creation Date: 09-aug-2010
   Expiration Date: 09-aug-2012
 
 173.236.192.199
 
 NetRange:       173.236.128.0 - 173.236.255.255
 CIDR:           173.236.128.0/17
 OriginAS:       AS26347
 NetName:        DREAMHOST-BLK10
 NetHandle:      NET-173-236-128-0-1
 Parent:         NET-173-0-0-0-0
 NetType:        Direct Allocation
 RegDate:        2010-03-30
 Updated:        2012-03-02
 OrgName:        New Dream Network, LLC
 OrgId:          NDN
 Address:        417 Associated Rd.
 Address:        PMB #257
 City:           Brea
 StateProv:      CA
 PostalCode:     92821
 Country:        US
 RegDate:        2001-04-17
 Updated:        2009-03-25
   Domain Name: BAMBOOZLEFITCLUB.NET
   Registrar: WILD WEST DOMAINS, LLC
   Whois Server: whois.wildwestdomains.com
   Referral URL: http://www.wildwestdomains.com
   Name Server: NS1.GRAPECOMPUTERS.NET
   Name Server: NS2.GRAPECOMPUTERS.NET
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 05-apr-2012
   Creation Date: 04-apr-2012
   Expiration Date: 04-apr-2013
 
 85.189.11.134
 
 inetnum:        85.189.11.32 - 85.189.11.255
 netname:        GIS-LEASED-LINES-DERBY
 descr:          Ethernet & Serial Links from Pride Park Datacentre
 country:        GB
 41.64.21.71
 
 inetnum:        41.64.0.0 - 41.64.255.255
 netname:        Dynamic-ADSL
 descr:          Dynamic ADSL customers and Reseller
 country:        EG

[カテゴリ:spam観察日記]

by jyake