Date: Mon, 17 Sep 2012 08:54:50 -0600
From: "Mason Jordan" [LillieRoell@digitalnubia.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order_A49436.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-130-1601 ($4.79/min).
ORDER INFORMATION
Please download your complete order id #1197744 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at kerneloffce.ru:8080/forum/links/column.php which was hosted on 46.51.218.71 (Amazon, Ireland) until it got nuked. The following domains and IP addresses are all related:
moskowpulkavo.ru
omahabeachs.ru
kerneloffce.ru
46.51.218.71
50.56.92.47
62.76.188.246
62.76.190.50
87.120.41.155
91.194.122.8
132.248.49.112
178.63.51.54
203.80.16.81