This changelog spam leads to malware on
emaianem.ru:
Date: Tue, 12 Feb 2013 09:11:11 +0200
From: LinkedIn Password [password@linkedin.com]
Subject: Re: Changlog 10.2011
Good day,
changelog update - View
L. KIRKLAND
=================
Date: Tue, 12 Feb 2013 05:14:54 -0600
From: LinkedIn [welcome@linkedin.com]
Subject: Fwd: Re: Changelog as promised(updated)
Good morning,
as prmised updated changelog - View
L. AGUILAR
The malicious payload is at
[donotclick]emaianem.ru:8080/forum/links/column.php and is hosted on the same servers as
found here.
This changelog spam leads to malware on emaianem.ru:
Hello Conrad,
ReplyDeleteI am sorry had no time to post it into MalwareMustDie blog, but finished analyzed this mess, Allow me to post as comment here:
It download the Cridex + made callbacks (as usual) too:
hxxp://184.106.195.200:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://195.191.22.40:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://210.56.23.100:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://88.119.156.20:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://72.251.206.90:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://82.100.228.130:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://213.214.74.5:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
hxxp://203.171.234.53:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/
And the PWS Stealer Fareit dropped made callbacks to:
hxxp://203.114.112.156:8080/asp/intro.php
hxxp://42.121.116.38:8080/asp/intro.php
hxxp://203.146.208.180:8080/asp/intro.php
hxxp://110.164.58.250:8080/asp/intro.php
hxxp://85.25.147.73:8080/asp/intro.php
hxxp://208.87.243.130:8080/asp/intro.php
hxxp://202.164.211.51:8080/asp/intro.php
hxxp://111.68.142.223:8080/asp/intro.php
hxxp://203.172.252.26:8080/asp/intro.php
hxxp://195.24.205.188:8080/asp/intro.php
All of the software credentials slurped are here (list): http://pastebin.com/raw.php?i=xE39VTYr
While the online banking stolen & phished are here: http://pastebin.com/raw.php?i=uD49AiMH
I upload the downloaded trojan (Cridex) and dropped trojan (Fareit) in VT in here and here