[nsp-sec] as4134 Fake microsoft infection notification leads to conficker related malware hosting.

Smith, Donald Donald.Smith at qwest.com
Mon Apr 6 13:38:04 EDT 2009 

On another list someone forwarded this email that pretends to be Microsoft reaching out to assist conficker infected customers with a free scan.


The link leads to malware and malicious html so I defanged the link.
$ whois -h whois.cymru.com 222.186.9.187
AS      | IP               | AS Name
4134    | 222.186.9.187    | CHINANET-BACKBONE No.31,Jin-rong Street


$ whois -h upstream-whois.cymru.com 222.186.9.187
PEER_AS | IP               | AS Name
174     | 222.186.9.187    | COGENT Cogent/PSI
1239    | 222.186.9.187    | SPRINTLINK - Sprint
2516    | 222.186.9.187    | KDDI KDDI CORPORATION
2828    | 222.186.9.187    | XO-AS15 - XO Communications
2914    | 222.186.9.187    | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257    | 222.186.9.187    | TISCALI-BACKBONE Tiscali Intl Network BV
3320    | 222.186.9.187    | DTAG Deutsche Telekom AG
3356    | 222.186.9.187    | LEVEL3 Level 3 Communications
3491    | 222.186.9.187    | BTN-ASN - Beyond The Network America, Inc.
3549    | 222.186.9.187    | GBLX Global Crossing Ltd.
3561    | 222.186.9.187    | SAVVIS - Savvis
7132    | 222.186.9.187    | SBIS-AS - AT&T Internet Services
11164   | 222.186.9.187    | TRANSITRAIL - National LambdaRail, LLC




Original email.
> > ========================================
> > Dear Microsoft Customer,
> > 
> > On April 1st, 2009 the Conficker worm started infecting Microsoft
> > Windows users incredibly rapidly.
> > Microsoft has been alerted by your Internet company that your 
> > network is
> > showing signs of infection.
> > To impede further infection we recommend running a full scan on oyur
> > computer.
> > We are supplying all effected Windows users with a free system scan in
> > order to remove the infection from their system.
> > 
> > Please visit the Microsoft System Security Scanner website by simply
> > clicking here
> > (hxxp://Microsoftsupport.microsoft.com.custserv.microsoft86.cl
> > ient9.secureserver5.cc) to begin scanning your system.
> > 
> > The scanner will take under a minute to run and will protect 
> > your files
> > from being compromised.
> > 
> > We appreciate your prompt cooperation in this matter.
> > 
> > Regards,
> > Microsoft Representative #90 (Rita)
> > Windows Computer Security Division
> > Email Ref Num: 5LtgPLX3 

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com gcia

More information about the nsp-security mailing list