There have been a helluvalot of malicious spams in the past few days, some using HTML attachments and some using an HTML-in-ZIP attack, for example:Intercompany inv. from Safeco Corporation Corp.
Invoice_1750544151.zip
Invoice.htm
Scan from a HP ScanJet #24166324
Scan_HPa.zip
HP_Scan.htm
Re: End of Aug. Statement Required
Invoice_N{DIG}.htm
Your Flightticket
FLIGHT_TICKET_N24207.zip
Ticket.htm
FEDEX: DELIVER CONFIRMATION - FAILED 335929
Collect_Letter-176310.htm
Payload URLs include:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://81.30.160.7:8080/navigator/jueoaritjuir.php
hxxp://88.190.22.72:8080/navigator/jueoaritjuir.php
hxxp://89.31.145.154:8080/navigator/jueoaritjuir.php
hxxp://112.78.124.115:8080/navigator/jueoaritjuir.php
hxxp://194.85.97.121:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://webalizerindians.ru:8080/navigator/jueoaritjuir.php
By host:
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
81.30.160.7 (Vinteleport, Ukraine)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
81.30.160.7
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
194.85.97.121
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138
These IPs seem pretty consistent at the moment, blocking them should offer some degree of protection.
No comments:
Post a Comment