Wednesday, 17 October 2012

Amazon.com spam / sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info

This fake Amazon.com spam leads to malware on sdqhfckuri.ddns.info and ultjiyzqsh.ddns.info:

From: Amazon.Com [mailto:pothooknw@tcsn.net]
Sent: 17 October 2012 06:54
Subject: Your Amazon.com order of "Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch" has shipped!
Importance: High


Gift Cards
|     Your Orders
|     Amazon.com


Shipping Confirmation
Order #272-3140048-4213404


Hello,
Thank you for shopping with us. We thought you'd like to know that we shipped your gift, and that this completes your order. Your order is on its way, and can no longer be changed. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Tuesday, October 9, 2012


Your package is being shipped by UPS and the tracking number is 1ZX305712324670208. Depending on the ship speed you chose, it may take 24 hours for your tracking number to return any information.

Shipment Details

Bulova Men's 94B316 Precisionist Claremont Brown Leather Watch
Sold by Amazon.com LLC (Amazon.com)     $109.95

Item Subtotal:     $109.95
Shipping & Handling:     $0.00
Total Before Tax:     $109.95
Shipment Total:     $109.95
Paid by Visa:     $109.95

Returns are easy. Visit our Online Return Center.
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
The malicious payload is at [donotclick]sdqhfckuri.ddns.info/links/calls_already_stopping.php or [donotclick]ultjiyzqsh.ddns.info/links/calls_already_stopping.php hosted on 37.230.117.4 (The First CJSC, Russia).

Added: snfgrhoykdcb.ddns.info and jdrxnlbyweco.ddns.info are also being used in this attack, although it they do not resolve at present.

Blocking .ddns.info and .ddns.name domains will probably not spoil your day. Blocking the 37.230.116.0/23 range might not either.

Some other subjects seen:
Your Amazon.com order of "Citizen Men's BL2774-05L Eco-Drive Perpetual Calendar Chronograph Watch" has shipped!
Your Amazon.com order of "Casio Men's PAG165-0CR Pathfinder Triple Sensor Multi-Function Sport Watch" has shipped!
Your Amazon.com order of "G-Shock GA-386-1A8 Big Combi Military Series Watch" has shipped!
our Amazon.com order of "Fossil Men's FS2362 Black Silicone Bracelet Black Analog Dial Chronograph Watch" has shipped!
Your Amazon.com order of "Timex Ironman Men's Road Trainer Heart Rate Monitor Watch, Black/Orange, Full Size" has shipped!

3 comments:

ds said...

Any idea what the payload looks like?

byrsa said...

Payload for me was ZeroAccess (aka Sirefef).

https://www.virustotal.com/file/c39eb9e2045d8608a1c8093efd6690686f4f5131ab15b8ce08b8c119fd21b5a1/analysis/

ds said...

Thanks!