Sponsored by..

Monday 26 July 2010

Welcome to "Joomla!" email links to malware

A variant on this malware-laden email, this particular approach pretends to be from Joomla and even goes as far as to fake some of the headers to avoid detection.

From: no_reply_forum@joomla.org [mailto:no_reply_forum@joomla.org]
Sent: 26 July 2010 15:57
Subject: Welcome to "Joomla!"

Welcome to Joomla! forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: haymixer

Board URL: http://cambridge-narrows.ca/
----------------------------

Please visit the following link in order to activate your account:

http://cambridge-narrows.ca/

Your password has been securely stored in our database and cannot be
retrieved. In the event that it is forgotten, you will be able to reset it
using the email address associated with your account.

Thank you for registering.

--
Thanks,
Joomla! Community Forum
cambridge-narrows.ca has been compromised and attempts to load malware from cambridge-narrows.ca/adobe_flash_install.exe

The infected page then also tries to load from thewatches-discount.com:8080/index.php?pid=10 and thecoca-colacompany.com/images/noflash_singlevideo.gif (yes, it really is The Coca-Cola Company).

thewatches-discount.com is multihomed on:
Addresses:  84.16.230.27 [Netdirekt, Germany], 87.106.179.206 [1&1, Germany], 91.121.162.65 [OVH, France], 94.23.224.221 [OVH, France] and 62.212.132.226 [Xenosite, Netherlands]. This gives us a whole batch of dodgy looking sites worth blocking:

84.16.230.27
Applecorn.com
Areadrum.com
Bittag.ru
Blackpr.biz
Bookdisk.ru
Boozelight.ru
Busyspade.com
Chertenok.name
Galneed.ru
Galslime.com
Gigasofa.com
Hillchart.com
Horsedoctor.ru
Jarpub.ru
Lockerz-invite.ru
Marketholiday.ru
Oilrule.ru
Pressurespa.ru
Problemdollars.ru
Raceobject.ru
Roundstorm.com
Sadute.com
Sheepbody.com
Spacememory.ru
Tanspice.com
Tanyear.com
Technaxx.pl
Technaxx.ru
Thecheapviagra.com
Themysite.net
Theviagrapills.com
Tightsales.com
Validplan.com
Waxyblock.com
Yaktrack.ru

87.106.179.206
Ballanteam.com
Splatspa.com
Valbou.com

91.121.162.65
Aionitalian.net
Aionitalian.org
Ashsoftware.ru
Bakedship.ru
Hugejar.com
Inktime.ru
Momhand.ru
Politicalpoets.ru
Taxshelf.ru
Yoursoap.ru
Ashdog.ru
Cornerrat.ru
Mondayring.ru
Relaxedgrape.ru
Warydrunk.ru

62.212.132.226
Bail.nl
Bigeventsbooker.nl
Bouwinkopen.nl
Buyviagraworld.com
Cafemack.com
Cvens.nl
Dateforbusiness.nl
Dealyak.ru
Dekroonvanemmeloord.nl
Diamonddoctor.ru
Directorschaircompany.com
Drunkjeans.com
Earlymale.com
Eventdirectory.nl
Famerule.ru
Familywater.ru
Flevoland-weddingevent.nl
Forum4events.com
Forum4events.nl
Hollandgaatuit.com
Kroonvanemmeloord.nl
Lasteye.com
Liplead.ru
Manamina.nl
Nibourgproductions.nl
Outerrush.com
Prominent-vastgoed.nl
Realgg.nl
Sexysushi.nl
Silencepill.ru
Silencewindow.ru
Sisterqueen.ru
Slaveday.ru
Superjoke.nl
Tintie.ru
Tipbear.ru
Treecorn.ru
Urkinwintersferen.nl
Urkopdeplanken.nl
Vandijk-ict.eu
Zooneed.ru

The other sites on 94.23.224.221 seem to be legitimate.

Sunbelt has a write-up of the last attack with some analysis here.

No comments: