These sites and IPs seem to be distributing some sort of Zeus variant. In this case users are being enticed to download a file called Fattura.zip (Italian for "invoice") which then contains an executable with the name Fattura.Doc_________________________________________________________________.exe (there are 65 underscores in the filename). That seems daft until you realise that all those underscores are designed to hide the .exe extension by making the filename so big that it is truncated.
At the moment, the malware (MD5 09886612d542e1b354aeda6a16f9ccf5) is poorly detected (4/43 at VirusTotal). ThreatExpert's prognosis is here.
The back end is a big more interesting and gives a large number of IPs and domains to block if you want to be proactive about stopping this sort of thing.
The back end servers are primarly:
41.189.229.65 (Djibouti Telecom)
60.19.30.131 (China Unicom)
60.19.30.135 (China Unicom)
67.40.211.116 (Qwest Communications, Seattle)
71.217.16.11 (Qwest Communications, Seattle)
82.210.157.9 (Aster, Poland)
113.161.87.176 (VietNam Post and Telecom Corporation)
195.214.238.241 (Interphone, Ukraine)
202.199.160.107 (Dongbei University of Finance and Economics, China)
218.24.113.3 (China Unicom)
Associated domains:
axeswizardepx.ru
bellicbridge.ru
bellicoreturbo.ru
blackofspogus.com
booksforbool.com
brentnallfg.com
dartzofmybpull.ru
digibeetlesop.ru
dontstop21523510.com
duffiduffid.ru
duklio.com
dzmeritelshop.ru
ebaliu.com
esperadooptic.ru
fabsnot.ru
fgrag3.com
financialactivson.com
financialpoet.com
fitle8.com
florianarray.ru
freakcan.ru
getinmo.net
gorycup.ru
hoperjulia.com
itchysauce.ru
jetsetflysystems.asia
koklip.com
krufop.com
linkmoduledso.com
lu4isa.com
lurofletzhen.com
microhousezez.com
musicframeit.com
n3ot6op.com
naughtywifepal.ru
onepet.ru
paperrain.net
papertulip.ru
pellicslotersa.ru
plasticinetec.ru
poczta.orgmasz.pl
popspostenkple.ru
recruitaimsfg.com
routerstructo.ru
rudeink.ru
runnystorm.ru
secondconcert.ru
sichererautoverkauf.net
simulatormage.ru
so47nop.com
softmarkets.ru
steelcinetecs.ru
t3a4ano.com
tamilworldinfo.net
tinpiano.com
tradesystemsy.com
vanilaprojectlive.com
weaktrash.ru
widuop.com
No comments:
Post a Comment