The Latest in IT Security

Here’s a “flight ticket” spam leading to malware:

Date:      Tue, 20 Mar 2012 11:56:41 +0900
From:      “DEDE Rainey”
Subject:      Re: Fwd: Your Flight N 76-124339
Attachments:     FLIGHT_TICKET_N-A7401085.htm

Dear Customer,

FLIGHT NUMBER 162-717

DATE/TIME : MARCH 28, 2011, 14:13 PM

ARRIVING AIRPORT: NEW-YORK AIRPORT

PRICE : 906.20 USD

Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

DEDE Rainey,

The attachment tries to redirect the victim to a malware site on dnvfodooshdkfhha.ru:8080/images/aublbzdni.php (report here) and as with most of the .ru:8080 attacks we see, this one is multihomed:

62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
83.238.208.55 (Netia, Poland)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy and pasting:
62.85.27.129
78.83.233.242
83.238.208.55
125.19.103.198
173.203.51.174
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138