To prove that the Bad Guys have a sense of humour at least, this fake email claims to be a renewal subscription for Webroot:
From: Best Buy Subscription Software [mailto:noresponse@softwaresubscription.bestbuy.com]
Sent: 06 August 2010 11:23
Subject: Thank You, Your Anti-Virus Protection Plan has been renewed
Dear [victim]
Your Webroot Spysweeper with AntiVirus Product Protection Plan has been successfully renewed and charged to the credit card you have on file with us. With this automatic renewal, you will continue to have uninterrupted anti-virus software protection on your PC for another year plus these great benefits:
òÀâ Best in Class Security Software
òÀâ No hassle automatic renewals makes sure that you will never go unprotected
òÀâ Receive all version updates free of charge
òÀâ Cancel at any time and received a refund for any unused months of protection
òÀâ Simple Customer Support, Call 1-888-BESTBUY with any questions
-------------------------------------------------------------
Here are the details of your renewed Protection Plan:
-------------------------------------------------------------
Product: Webroot Spysweeper with AntiVirus Product
Protection Plan: Annual
Best Buy Serial Number: WBR00AV000044180817
Transaction Date: 7/19/2010
Renewal Price: $43.54
If you have any questions about your protection plan or your recent renewal, please contact our Customer Support Team at 1-888-BESTBUY (1-888-237-8289), and ask for the Subscription Software Team.
Thank you again for your business, and being a Best Buy Customer.
Sincerely,
Best Buy Stores, L.P.
ddd
Payload and approach seem to be exactly the
same as this one, with a Bredolab dropper. Again, it routes through
yummyeyes.ru and you should look for the same log entries of
.ru:8080 and
/x.html to make sure you are clean.
In this case the intermediate step is a hacked site at peninsula.co.nz/x.html but it probably varies.
If you are not in the US, then blocking bestbuy.com at your mail perimeter will do no harm.