Sponsored by..

Wednesday 14 March 2012

goo.gl/NEQlS link leads to malware

Another case of the goo.gl redirector being used for evil:

From:     Dilip Lalita dklalita1977@yahoo.com
Date:     14 March 2012 09:38
Subject:     Changes in FDIC policy #22666447
Signed by:     yahoo.com

Id 36-4866333-96425034-8-662
< !--KG 19021150 K

 http://goo.gl/NEQlS



HF 22555007 Z

goo.gl/NEQlS leads to m6ttp.burdencrigyll.ru  (multihomed, see below) and then to a malicious payload site at 64.150.166.50/showthread.php?t=72d268be707a5fb7 (iPower, US). This URL contains an exploit kit.

The intermediate step is hosted on several servers:

31.40.240.89 (Ukrainian American Joint Venture, Ukraine)
31.45.144.128 (VIPnet, Croatia)
46.146.101.194 (ER-Telecom Holding, Russia)
46.173.172.249 (Galitski Telekommunications, Ukraine)
49.0.153.231 (Yokozunanet, Mongolia)
59.93.196.162 (BSNL Internet, India)
59.103.211.151 (Pakistan Telecommunication Company Limited, Pakistan)
59.161.115.17 (TATA Communications, India)
61.227.168.35 (HINET, Taiwan)
77.34.225.103 (Rostelecom, Russia)
91.82.23.56 (Invitel, Hungary)
95.57.154.111 (Kazakhtelecom, Kazakhstan)
95.57.188.134 (Kazakhtelecom, Kazakhstan)
95.188.155.101 (Rostelecom, Russia)
95.234.146.196 (Alice, Italy)
109.191.44.122 (Intersvyaz-2, Russia)
114.163.159.142 (Open Computer Network, Japan)
115.242.148.93 (Reliance Communication, India)
122.175.149.136 (Bharti Airtel, India)
178.91.60.141  (Kazakhtelecom, Kazakhstan)

This is a plain list for copy-and-pasting:
31.40.240.89
31.45.144.128
46.146.101.194
46.173.172.249
49.0.153.231
59.93.196.162
59.103.211.151
59.161.115.17
61.227.168.35
77.34.225.103
91.82.23.56
95.57.154.111
95.57.188.134
95.188.155.101
95.234.146.196
109.191.44.122
114.163.159.142
115.242.148.93
122.175.149.136
178.91.60.141
64.150.166.50

No comments: