Sponsored by..

Monday, 13 February 2012

"Scan from a Xerox W. Pro #6999878 " spam / ckolmadiiasf.ru

This spam comes with a malicious attachment that attempts to download malware from ckolmadiiasf.ru:8080/images/aublbzdni.php

Date:      Mon, 12 Feb 2012 07:57:23 +0700
From:      scan@victimdomain.com
Subject:      Fwd: Scan from a Xerox W. Pro #6999878
Attachments:     Xerox_Doc-l1616.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Number of Images: 6
Attachment File Type: .HTML [Internet Explorer Format]

Xerox WorkCentre Location: machine location not set
Device Name: XEROX5427OD9ID86

This is one of those cases where the malicious domain is massively multihomed (there's a plain list at the end of the post if you want to copy and paste): (OVH Systems, France) (Amazon Data Services, Ireland) (Steadfast Networks, US) (Slicehost, US) (Slicehost, US) (Comcast Business Communications, US) (Colopronto, US) (iPower, US) (MVN Systems Ltd, Bulgaria) (Neterra Ltd, Bulgaria) (Free SAS / ProXad, France) (SiliconTower, Spain) (Hosting Services Inc, US) (Slicehost, US) (Linode, US) (ThePlanet, US) (Slicehost, US) (Slicehost, US) (G2KHosting, Argentina) (Century Telecom Ltda, Brazil) (Jaidee Daijai, US)

Looks familiar? Well, it is almost identical to this list with a few servers taken out of action.

No comments: