Date: Mon, 14 Jan 2013 10:49:06 +0300The malicious payload is on [donotclick]dekamerionka.ru:8080/forum/links/column.php hosted on:
From: Friendster Games [friendstergames@friendster.com]
Subject: ADP Immediate Notification
ADP Immediate Notification
Reference #: 540328394
Mon, 14 Jan 2013 10:49:06 +0300
Dear ADP Client
Your Transfer Record(s) have been created at the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please see the following notes:
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.
This note was sent to acting users in your system that approach ADP Netsecure.
As usual, thank you for choosing ADP as your business affiliate!
Ref: 984259785
HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.
81.31.47.124 (Master Internet s.r.o / Petr Bydzovsky, Czech Republic)
91.224.135.20 (Proservis UAB, Luthunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and domains involved:
81.31.47.124
91.224.135.20
212.112.207.15
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dekamerionka.ru
1 comment:
Hello Conrad,
Made a guide to flush dry exploits & payload files served via Blackhole at dekamerionka.ru:8080, in here: http://malwaremustdie.blogspot.com/p/81.html
I hope the data is useful for researchers and raising malware infection awareness. Sorry for just a textual data.
Post a Comment