Sponsored by..

Friday 11 November 2011

financialstatements.mrsdl.com, nookbizkitsad.com and 94.102.11.168

This is a pretty common virus laden email:

Subject: ACH Transfer was not accepted by our bank

Dear Bank Account Operator,

I regret to inform you that ACH Transfer created by you or on your behalf was not accepted by our bank.

Transaction ID: 1709919126682218
Current status of transaction: on hold

Please review transaction details as soon as possible.

Erika Y. Barnes
Treasury Management
and
Subject: Wire Transfer was not accepted by our bank

Dear Account Holder,

Wire Transfer sent by you or on your behalf was not accepted by our bank.

Transaction ID: 170992225147
Current status of transaction: pending

Please review transaction details as soon as possible.

Katherine Hess
Treasury Administration

There's a link in the email.. the first port of call is a hacked legitimate website. This gets fowarded to financialstatements.mrsdl.com which then delivers an HCP exploit and tries to encourage the user to download malware.

The download is called updateflash.exe (MD5 31EA43D448086974125E9904AB1BB3C5). Vendor detection is patchy with VirusTotal reporting just 20/43 products detecting it. ThreatExpert have a more detailed analysis here (useful if you are trying to disinfect a machine manually).

financialstatements.mrsdl.com is multihomed on several IP addresses, mostly cable modem customers in Spain for some reason:

71.217.16.172
84.123.147.172
84.124.179.183
84.126.255.46
85.86.48.130
85.219.28.52
178.139.18.243
212.225.172.73
218.216.37.66

Because of the wide range of IPs, blocking access to the entire mrsdl.com domain is probably easiest.

The HCP exploit is hosted on nookbizkitsad.com, hosted on 94.102.11.168 in Turkey. This IP has a whole load of malicious sites on it, blocking access to this IP is probably a good idea. The Wepawet report for this is here.

Sites hosted on in the first "mrsdl.com" cluster include:
code732546teh34.com
mrsdl.com
financialstatements.mrsdl.com
titlefinancialstatements.mrsdl.com
digitalarmory.net
www.digitalarmory.net
worldisfriendly.com
yourowndefence.net

Sites hosted on 94.102.11.168 include:
teomagofagolo3488.co.cc
b3ibw00erdool.co.cc
frolenad.cu.cc
hkjhaqiewjkfasdfpckjhhejrf.cu.cc
m4everything.cu.cc
vjfgmifjdfkepodkfldetrg.cu.cc
kaublog.de
video-games04.ns1.name
gfqnjsqu.findhere.org
oepzvjb.myftp.org
codzicbvrc.myftp.org
dwcninccwc.myftp.org
kensndorqd.myftp.org
zsqnmpulsh.myftp.org
kqusyqj.myftp.org
nonuxbo.myftp.org
lfqcoep.myftp.org
bpocajyjs.myftp.org
orwobrysku.myftp.org
qszmsqjiiw.myftp.org
mexigxzy.myftp.org
ugkuhqerflaspeeeeggva.c0m.li
51se.stnet.nl
42se.stnet.nl
45se.stnet.nl
46se.stnet.nl
nookbizkitsad.com
gmbhsite.com
tvbkjizm.athersite.com
xpicktxr.athersite.com
imrzcsws.athersite.com
kaposuyx.athersite.com
pzwwnzky.athersite.com
coloique.com
rldthxahbw.freetcp.com
khraaqyh.uglyas.com
phpctuqz.assexyas.com
lyeldismnl.zyns.com
nhfeyo.zyns.com
fast.4pu.com
ztxserv1.in
deqiosta83.in
fantome456.in
mastrudinnnne9.in
rdolaminyollwa.in
ogoatl0.dynamic-dns-service.in
ybiyxd1.dynamic-dns-service.in
ijeuhs3.dynamic-dns-service.in
ohoymz4.dynamic-dns-service.in
teanainthernane.in
letingosite.in
clisselaweyzaii.in
fasstasharremi.in
ondayihasanzani.in
lephayndeleiul.in
rceytaronnistem.in
ffodenhenigunn.in
doritahalvarlyn.in
andracybinatono.in
kencexoveduner.in
eretansenoviver.in
preeeederdtt.in
rifaelmarmanlex.in
senaliaricangy.in
nex8.info
pis7ol.info
oalgrul.ddns.info
knyvan.ddns.info
innexts.info
hgkasdfqerofcvvuiajrfaqe.ce.ms
kleopatrik.ce.ms
pyrbvfmk.isgre.at
igazlaxn.bestdeals.at
ftgaxklp.bestdeals.at
schneller-reich.net
schnellerreich.net
schneller-reichshop.net
kopysgud.byinter.net
dzjartdj.byinter.net
bgtecocg.passinggas.net
lggpiiwm.passinggas.net
mhgtmvwm.passinggas.net
tyvsoxtn.isthebe.st
mgascbtp.ontheweb.nu
moiptenchik.ru
moiejik.ru
moisuslik.ru
moikonik.ru
moipesik.ru
fredom.ru
bqredret.ru
horkotov.ru
dfrtwintestingdomainlast222999.com.tw

No comments: