Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 4 August 2009

YAB (Yet Another Botnet) Microsoft exploit e-mails

We've got more of these fake Microsoft e-mails doing the rounds folks, and as with the Alliance and Leicester scams, these are all hosted on residential machines by the looks of it.

Unlike the Alliance and Leicester ones however, these have a nasty surprise waiting for you.

Should you realize your mistake before infecting yourself with the download they're offering, they've been kind enough to try and ensure you get *something*, which in this case, comes from fx-news.ru, and thankfully at the time of writing this, the exploit part of this, isn't working.


The URL that should be giving you the exploit, is currently serving a MySQL error message;

Can't connect to MySQL server on '91.207.116.22' (4)


91.207.116.22 is located on a Rushkranian block, apparently owned by Rise-v Ltd, which was also the source of the exploit at kervinly.com.

inetnum: 91.207.116.0 - 91.207.117.255
netname: EASTNET-UA-NET-2
descr: Rise-v Ltd
country: UA
org: ORG-RL28-RIPE
admin-c: LV1630-RIPE
tech-c: LV1630-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-NETART
mnt-routes: MNT-NETART
mnt-domains: MNT-NETART
source: RIPE # Filtered

organisation: ORG-RL28-RIPE
org-name: Rise-v, Ltd.
org-type: OTHER
descr: Rise-v, Ltd.
address: Traktorostroiteley str. 158, apt. 43
address: 61129, Kharkov, Ukraine
phone: +38 057 7616277
phone: +38 067 5791028
admin-c: LV1630-RIPE
tech-c: LV1630-RIPE
mnt-ref: EASTNET-MNT
mnt-by: EASTNET-MNT
source: RIPE # Filtered

person: Valera Lelin
address: 61129, Ukraine, Kharkov, Traktorostroiteley 158 str, apt. 43
phone: +380577507505
phone: +380639797654
remarks: ICQ: 4333444
remarks: agaaga
abuse-mailbox: abuse@rise.com.ua
nic-hdl: LV1630-RIPE
mnt-by: EASTNET-MNT
source: RIPE # Filtered

:: Information related to '91.207.116.0/23AS49536'

route: 91.207.116.0/23
descr: DENTAGLOBAL route
origin: AS49536
mnt-by: DENTA-MNT
source: RIPE # Filtered


URL's I've seen thus far;

http://update.microsoft.com.jiklaut.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=463335680057515548370716321207756784829866348428006905629
http://update.microsoft.com.ferrateu.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
http://update.microsoft.com.ferratet.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
update.microsoft.com.nsatc.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=10523941098791395374955537386571
update.microsoft.com.herrjuy.vu/microsoftofficeupdate/isapdl/default.aspx/?ln=en-us&id=286426523836840882450605409068671
update.microsoft.com.ferratep.net/microsoftofficeupdate/isapdl/default.aspx/?ln=en-us&id=286426523836840882450605409068671


Not all of these are still resolving.

Jaxryley over at Malwarebytes has saved me some time, by providing the VT results;

http://www.virustotal.com/analisis/508348da73073323a5baf3406eea1bcb687e0eb987ada8b1ce6b126f7d8bdab0-1249432378

With the Threat Expert results available at;

http://www.threatexpert.com/report.aspx?md5=d04b69dda52305d88e1bf7fe2b2a6034

For clarity, one of the e-mails I received, is shown below.



/edit 05-08-09 04:41

Added update.microsoft.com.ferratep.net

No comments: