This spam comes with a malicious attachment pointing to a page on cparabnormapoopdsf.ru.
Date: Tue, 27 Feb 2012 03:53:09 +0530
From: [email protected]
Subject: Fwd: Your Flight N US787-8929269
Attachments: FLIGHT_TICKET_N3988-753843.htmDear Customer,
FLIGHT NUMBER 8333-452628141
DATE/TIME : MARCH 23, 2011, 16:15 PM
ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT
PRICE : 856.77 USD
Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).
To use your ticket you should print it.
LAKEISHA Wolff,
American Airlines
The payload is at cparabnormapoopdsf.ru:8080/images/aublbzdni.php (report here). As with other .ru:8080 attack, this one is multihomed on some familiar looking IPs:
50.31.1.105 (Steadfast Networks, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
A bare list for copy-and-pasting:
50.31.1.105
78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210
Leave a reply
