The Latest in IT Security

goo.gl/NEQlS link leads to malware

14
Mar
2012

Another case of the goo.gl redirector being used for evil:

From:     Dilip Lalita [email protected]
Date:     14 March 2012 09:38
Subject:     Changes in FDIC policy #22666447
Signed by:     yahoo.com

Id 36-4866333-96425034-8-662
< !–KG 19021150 K

 http://goo.gl/NEQlS

HF 22555007 Z

goo.gl/NEQlS leads to m6ttp.burdencrigyll.ru  (multihomed, see below) and then to a malicious payload site at 64.150.166.50/showthread.php?t=72d268be707a5fb7 (iPower, US). This URL contains an exploit kit.

The intermediate step is hosted on several servers:

31.40.240.89 (Ukrainian American Joint Venture, Ukraine)
31.45.144.128 (VIPnet, Croatia)
46.146.101.194 (ER-Telecom Holding, Russia)
46.173.172.249 (Galitski Telekommunications, Ukraine)
49.0.153.231 (Yokozunanet, Mongolia)
59.93.196.162 (BSNL Internet, India)
59.103.211.151 (Pakistan Telecommunication Company Limited, Pakistan)
59.161.115.17 (TATA Communications, India)
61.227.168.35 (HINET, Taiwan)
77.34.225.103 (Rostelecom, Russia)
91.82.23.56 (Invitel, Hungary)
95.57.154.111 (Kazakhtelecom, Kazakhstan)
95.57.188.134 (Kazakhtelecom, Kazakhstan)
95.188.155.101 (Rostelecom, Russia)
95.234.146.196 (Alice, Italy)
109.191.44.122 (Intersvyaz-2, Russia)
114.163.159.142 (Open Computer Network, Japan)
115.242.148.93 (Reliance Communication, India)
122.175.149.136 (Bharti Airtel, India)
178.91.60.141  (Kazakhtelecom, Kazakhstan)

This is a plain list for copy-and-pasting:
31.40.240.89
31.45.144.128
46.146.101.194
46.173.172.249
49.0.153.231
59.93.196.162
59.103.211.151
59.161.115.17
61.227.168.35
77.34.225.103
91.82.23.56
95.57.154.111
95.57.188.134
95.188.155.101
95.234.146.196
109.191.44.122
114.163.159.142
115.242.148.93
122.175.149.136
178.91.60.141
64.150.166.50

Leave a reply


Categories

FRIDAY, DECEMBER 15, 2017

Featured

Archives

Latest Comments

Social Networks