[nsp-sec] ACK 174 RE: as4134 Fake microsoft infection notification leads to conficker related malware hosting.
Shelton, Steve
sshelton at Cogentco.com
Mon Apr 6 14:05:32 EDT 2009
Hello,
ACK for 174, dead here and will try to have mitigated downstream.
Steve Shelton
Security Engineer
Cogent Communications
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Smith, Donald
Sent: Monday, April 06, 2009 11:38 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] as4134 Fake microsoft infection notification leads to
conficker related malware hosting.
----------- nsp-security Confidential --------
On another list someone forwarded this email that pretends to be
Microsoft reaching out to assist conficker infected customers with a
free scan.
The link leads to malware and malicious html so I defanged the link.
$ whois -h whois.cymru.com 222.186.9.187
AS | IP | AS Name
4134 | 222.186.9.187 | CHINANET-BACKBONE No.31,Jin-rong Street
$ whois -h upstream-whois.cymru.com 222.186.9.187
PEER_AS | IP | AS Name
174 | 222.186.9.187 | COGENT Cogent/PSI
1239 | 222.186.9.187 | SPRINTLINK - Sprint
2516 | 222.186.9.187 | KDDI KDDI CORPORATION
2828 | 222.186.9.187 | XO-AS15 - XO Communications
2914 | 222.186.9.187 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257 | 222.186.9.187 | TISCALI-BACKBONE Tiscali Intl Network BV
3320 | 222.186.9.187 | DTAG Deutsche Telekom AG
3356 | 222.186.9.187 | LEVEL3 Level 3 Communications
3491 | 222.186.9.187 | BTN-ASN - Beyond The Network America, Inc.
3549 | 222.186.9.187 | GBLX Global Crossing Ltd.
3561 | 222.186.9.187 | SAVVIS - Savvis
7132 | 222.186.9.187 | SBIS-AS - AT&T Internet Services
11164 | 222.186.9.187 | TRANSITRAIL - National LambdaRail, LLC
Original email.
> > ========================================
> > Dear Microsoft Customer,
> >
> > On April 1st, 2009 the Conficker worm started infecting Microsoft
> > Windows users incredibly rapidly.
> > Microsoft has been alerted by your Internet company that your
> > network is showing signs of infection.
> > To impede further infection we recommend running a full scan on oyur
> > computer.
> > We are supplying all effected Windows users with a free system scan
> > in order to remove the infection from their system.
> >
> > Please visit the Microsoft System Security Scanner website by simply
> > clicking here
> > (hxxp://Microsoftsupport.microsoft.com.custserv.microsoft86.cl
> > ient9.secureserver5.cc) to begin scanning your system.
> >
> > The scanner will take under a minute to run and will protect your
> > files from being compromised.
> >
> > We appreciate your prompt cooperation in this matter.
> >
> > Regards,
> > Microsoft Representative #90 (Rita)
> > Windows Computer Security Division
> > Email Ref Num: 5LtgPLX3
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com gcia
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list