These IPs and domains appear to be active in malicious spam runs today:41.168.5.140
42.121.116.38
62.76.186.24
82.165.193.26
91.224.135.20
110.164.58.250
187.85.160.106
210.71.250.131
belnialamsik.ru
Quite a few of these IPs have been used in multiple attacks, blocking them would be prudent.
Update: some sample emails pointing to a malicious landing page at [donotclick]belnialamsik.ru:8080/forum/links/column.php:
Date: Tue, 8 Jan 2013 10:05:55 +0100
From: Shavonda Duke via LinkedIn [member@linkedin.com]
Subject: Re: Fwd: Security update for banking accounts.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
================
Date: Tue, 8 Jan 2013 01:31:43 -0300 [01/07/13 23:31:43 EST]
From: FilesTube [filestube@filestube.com]
Subject: Fwd: Re: Banking security update.
Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details
Best regards,
Security department
1 comment:
Hello Conrad,
Looks like they used the double obfuscation method now in the blackhole landing page.
I put the decode guide reference here:
https://dl.dropbox.com/u/32230830/MMD-20130108-BHEK-Cridex.txt
(can't make time to blog & pastebin is rejected big size)
Hope it's helpful.
Regards - #MalwareMustDie
Post a Comment