Wednesday, 16 October 2013

Pinterest spam, alenikaofsa.ru and the return of the RU:8080 gang?

This fake Pinterest spam leads to a malicious download on alenikaofsa.ru:

Date:      Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:      Pinterest [pinbot@pinterest.biz]
Subject:      Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
[redacted]
   
Andrew Hernandez    

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
   
Visit Profile
       
Happy pinning!

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
Andrew is a pretty feminine looking bloke. The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here) that attempts to download [donotclick]alenikaofsa.ru:8080/ieupdate.exe  which has a VirusTotal detection rate of just 1/48 (only Kaspersky detects it.. again).

The ThreatTrack report [pdf] looks like peer-to-peer Zeus to be, the Malwr report and Comodo CAMAS report also give some insight.

alenikaofsa.ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip.ru is also hosted on these IPs.

What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.

Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa.ru
alionadorip.ru

Footnote:
The malware page uses a similar script to that used here although with the rather cheeky comment

// It's "cool" to let user wait 2 more seconds :/



1 comment:

zabon said...

yacht-world.org TAKE VACATIONS NOW