From: Carlos Phillips [accounting@travidia.com]Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47. In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:
Subject: Invoice 48920
Thanks !!
Greg
Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com
MD5 935e5cacde136d006ea1bb1201a3e6ef
SHA1 bc876d53ad002f1d6fd994d6717372f374d5e6dc
SHA256 8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c
The Malwr analysis shows some of the things going on, including network connections to:
mycanoweb.com
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
188.40.92.12 (Hetzner, US)
209.222.67.251 (Razor Inc, US)
classified.byethost11.com
209.190.24.9 (Enet / XLHost, US)
myhomes.netau.net
31.170.160.129 (Main Hosting, US)
UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).
Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.
Recommended blocklist:
mycanoweb.com
classified.byethost11.com
myhomes.netau.net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129
Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100
No comments:
Post a Comment