Sponsored by..

Tuesday 8 January 2013

Malware sites to block 8/1/13

These IPs and domains appear to be active in malicious spam runs today:

41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik.ru

Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.

Update: some sample emails pointing to a malicious landing page at  [donotclick]belnialamsik.ru:8080/forum/links/column.php:


Date:      Tue, 8 Jan 2013 10:05:55 +0100
From:      Shavonda Duke via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: Security update for banking accounts.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

================

Date:      Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From:      FilesTube [filestube@filestube.com]
Subject:      Fwd: Re: Banking security update.

Dear Online Account Operator,

Your ACH  transactions have been
temporarily disabled.
 View details

Best regards,
Security department

1 comment:

unixfreaxjp said...

Hello Conrad,

Looks like they used the double obfuscation method now in the blackhole landing page.

I put the decode guide reference here:
https://dl.dropbox.com/u/32230830/MMD-20130108-BHEK-Cridex.txt
(can't make time to blog & pastebin is rejected big size)

Hope it's helpful.

Regards - #MalwareMustDie