It would seem, after rapidshare.com took down the malware that the king.cd links in those lovely fake e-mails, the bad guys decided enough was enough, and have now reverted back to using non-file hosting sites to distribute the malware.
Don't fret though, they're still using king.cd, so feel free to blackhole it.
The latest one I've received, which was received a couple mins ago, has the obligatory king.cd URL (king.cd/KuLk), which then leads you to;
hxxp://www.orlandoula.com/MicrosoftFramework.exe
VirusTotal results: http://www.virustotal.com/analisis/4d9412e7ab486f6fa3e64164e65dfa51ebeac1eb083d67c1587db2528befcb3e-1249879734
orlandoula.com currently lives at 67.219.36.164 (AS14242, LogicalSolutions.net). The domain was registered in 2007, so it's likely the site was hacked (though it does beg the question of why it's still got a "website coming shortly" message on it's homepage).
References:
Alert: Malicious Microsoft e-mail using king.cd and RapidShare
http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html
Sunday 9 August 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment