Date: Fri, 16 Feb 2012 11:24:56 +0700The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8
From: "VICTOR TALLEY"
Subject: Scan from a Hewlett-Packard Officejet 3906171
Attachments: HP_Scan-02.16_N05556.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 97687P.
Sent by: VICTOR
Images : 9
Attachment Type: .HTML [Internet Explorer]
Hewlett-Packard Location: machine location not set
Device: PFJ722DS0IDJ4996064
These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)
If you need a bare set of IP addresses for pasting into a blocklist:
46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173
Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.
No comments:
Post a Comment