Sponsored by..

Friday 23 July 2010

"Thank you for registering with ImageShack." mail leads to virus

A fairly crude attempt to get clickthroughs to a virus infected site:

From: ImageShack Registration <noreply@yfrog.com>
Date: 23 July 2010 15:46
Subject: Thank you for registering with ImageShack.
   
---------------------------------------------------
Thank you for registering with ImageShack.
---------------------------------------------------

Your username: confidingjc
Your password: 09088066
Your registration link: http://financial-independence.co.za/

Please read this email carefully, it contains important information about your ImageShack account.

Please do not reply to this email, this mailbox is not checked. To report problems use support section of the web site.

---------------------------------------------------
HOW DO I LOGIN?
---------------------------------------------------

Click the 'Login' button located at the top of ImageShack pages in order to login.
Type here your username and password located in this email.

Once you are logged in, you will be presented with your Image Panel.


---------------------------------------------------
HOW CAN I CHANGE MY PASSWORD?
---------------------------------------------------

If you want to change your password, use the following link:
http://financial-independence.co.za/
If you have forgot your password, use the following link:
http://financial-independence.co.za/

---------------------------------------------------
HOMEPAGE
---------------------------------------------------

Your friends can access your public images and slideshows at http://financial-independence.co.za/

---------------------------------------------------
COMMON QUESTIONS
---------------------------------------------------
Answers to common questions: http://financial-independence.co.za/

Sincerely,
The ImageShack Team
financial-independence.co.za might well be a hijacked site, it's hard to tell who owns it as the .CO.ZA WHOIS server isn't working. The site is hosted at 207.45.186.34 [Acenet Inc, Michigan]

This leads to a fake Adobe Flash installed (adobe_flash_install.exe) and an exploit site on diamonddoctor.ru:8080 which does some other nasties. diamonddoctor.ru has minimal WHOIS details:

domain:     DIAMONDDOCTOR.RU
nserver:    ns1.dnsofthost.com.
nserver:    ns2.dnsofthost.com.
nserver:    ns3.dnsofthost.com.
nserver:    ns4.dnsofthost.com.
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +7 495 7284001
e-mail:     hop@fastermail.ru
registrar:  NAUNET-REG-RIPN
created:    2010.07.13
paid-till:  2011.07.13
source:     TCI

It's no real suprise to see that it is hosted by Netdirekt on  84.16.230.27, along with these other sites which are good candidates to block:

Blackpr.biz
Chertenok.name
Lockerz-invite.ru
Nemerova.name
Technaxx.pl
Technaxx.ru
Tequieroputa.net
Themysite.net

Of note is that again we're seeing support services going through the dnsofthost.com domain that seems to be only used by the bad guys.


Administrator:
  Dmitriy Ilin depot@infotorrent.ru +7.8127047272
  Dmitriy Ilin
  Yuriya Gagarina pr-kt d.24-1 lit.A
  Sankt-Peterburg,Sankt-Peterburg,RUSSIAN FEDERATION 196211


infotorrent.ru seems to be pretty common to this kind of malware attack.

Anyway, a quick fix for corporate administrators is to block messages with "Thank you for registering with ImageShack." for the time being.

Added: forsight.com.au is also a domain being used in the attack, looks to be another hijacked legitimate domain.

No comments: