Sponsored by..

Wednesday 22 February 2012

Contract spam / cpojkjfhotzpod.ru

Another spam run (will they ever end?) this time with a malicious .htm attachment that tries to download from cpojkjfhotzpod.ru. Here are some examples:

Date:      Wed, 21 Feb 2012 07:17:49 +0800
From:      "LARUE Riley"
Subject:      Fw: Contract from LARUE
Attachments:     Contract_Scan_N5005.htm

Good afternoon,



In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

LARUE Riley, secretary

==========

Date:      Wed, 21 Feb 2012 05:17:01 +0700
From:      "DELORIS Hensley"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N0395.htm

Dear Customers,

In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

DELORIS Hensley, secretary

===========


Date:      Wed, 21 Feb 2012 09:10:09 +0900
From:      "ALISHA MCMILLIAN"
Subject:      Fw: Contract from ALISHA
Attachments:     Contract_Scan_N67448.htm

Dear Customers,

In the attached file I am transferring you the Translation of the Sales Contract



that I have just received today. I am really sorry for the delay.

Best regards,

ALISHA MCMILLIAN, secretary

==========

Date:      Wed, 21 Feb 2012 04:41:45 +0700
From:      "Drake Milton"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N7682.htm

Hello,

In the attached file I am forwarding you the Translation of the Purchase Contract

that I have just received a minute ago. I am really sorry for the delay.

Best regards,

Drake Milton, secretary

==========

The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.

46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

No comments: