Sponsored by..

Tuesday, 16 July 2013

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.

From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!

Greg

Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com
Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47.  In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:

MD5   935e5cacde136d006ea1bb1201a3e6ef
SHA1   bc876d53ad002f1d6fd994d6717372f374d5e6dc
SHA256   8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c


The Malwr analysis shows some of the things going on, including network connections to:
mycanoweb.com
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
188.40.92.12 (Hetzner, US)
209.222.67.251 (Razor Inc, US)

classified.byethost11.com
209.190.24.9 (Enet / XLHost, US)

myhomes.netau.net
31.170.160.129 (Main Hosting, US)

UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).

Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.

Recommended blocklist:
mycanoweb.com
classified.byethost11.com
myhomes.netau.net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129

Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100

No comments: