These IPs and domains appear to be active in malicious spam runs today:41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik.ru
Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.
Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik.ru:8080/forum/links/column.php:
Date: Tue, 8 Jan 2013 10:05:55 +0100
From: Shavonda Duke via LinkedIn [member@linkedin.com]
Subject: Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
================
Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From: FilesTube [filestube@filestube.com]
Subject: Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
Hello Conrad,
ReplyDeleteLooks like they used the double obfuscation method now in the blackhole landing page.
I put the decode guide reference here:
https://dl.dropbox.com/u/32230830/MMD-20130108-BHEK-Cridex.txt
(can't make time to blog & pastebin is rejected big size)
Hope it's helpful.
Regards - #MalwareMustDie