NACHA Spam / matoreria.com

Another NACHA spam run leading to a malicious payload..

Date:      Tue, 30 Jan 2012 11:02:13 +0000
From:      info@nacha.org
Subject:      Your ACH transaction

The ACH transaction (ID: 8519169560300), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     8519169560300
Rejection Reason     See details in the report below
Transaction Report     report_8519169560300.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The payload is on matoreria.com/search.php?page=73a07bcb51f4be71 hosted on 66.150.164.137 (Nuclear Fallout Enterprises, Seattle). We've seen this ISP before. At the moment the payload seems not to be working properly.

Blocking access to the IP address will also block access to any other malicious sites on the same server.

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com