[nsp-sec] Storm hit - download site at lwmfuf.adorepoem.com

Chris Calvert Chris.Calvert at telus.com
Mon Jan 26 11:25:01 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello

I received a spam hit at an incident reporting email address (that isn't in
wide distribution by any stretch of the imagination) on the weekend from a
source in Japan, then relayed through an IP in China.  Looks like Storm.

- -- HEADERSAMPLE BEGIN --

Received: from unknown (HELO wergvan) ([222.81.253.132])  by
 bliksem.nssi.telus.com with SMTP; 24 Jan 2009 05:48:59 +0000
Received: from chgp ([163.133.174.96]) by wergvan with Microsoft
 SMTPSVC(6.0.3790.0); Tue, 24 Jun 2008 13:36:53 +0800
Message-ID: <20080624133653.8000509 at maersk.com>
Date: Tue, 24 Jun 2008 13:36:53 +0800
From: Samuel Graham <ingramcpw at maersk.com>
User-Agent: Thunderbird 1.5.0.14 (Windows/20071210)
MIME-Version: 1.0
To: REDACTED
Subject: Missing you with every breath

- -- HEADERSAMPLE END --

Note the timestamps on the two Received headers.  24 Jun 2008, then 24 Jan
2009.  This isn't the first time the maersk.com domain is seen in spam,
according to a quick Google search.

The download site is at this FQDN: lwmfuf.adorepoem.com

It is currently pointing to:
AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
27274   | 141.209.179.129  | 141.209.0.0/16      | US | arin     |
1990-08-02 | CMICH - Central Michigan University

Lookups for the IPs in the headers:

Received: from chgp ([163.133.174.96])
AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
NA      | 163.133.174.96   | NA                  | JP | apnic    |
1992-11-30 | NA

role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP
phone:        +81-3-5297-2311
fax-no:       +81-3-5297-2312
e-mail:       hostmaster at nic.ad.jp
admin-c:      JI13-AP
tech-c:       JE53-AP
nic-hdl:      JNIC1-AP
mnt-by:       MAINT-JPNIC
changed:      hm-changed at apnic.net 20041222
changed:      hm-changed at apnic.net 20050324
changed:      ip-apnic at nic.ad.jp 20051027
source:       APNIC

Received: from unknown (HELO wergvan) ([222.81.253.132])
AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
4134    | 222.81.253.132   | 222.80.0.0/15       | CN | apnic    |
2003-10-27 | CHINANET-BACKBONE No.31,Jin-rong Street


__________________________________
 Chris Calvert
 TELUS
 PGP KeyID:      0x24C3AE36

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSX3j0wNosZkkw642AQjiFQgAg+QlhxETxZbQ1TdsYK1XWbDL53fEVv7O
WOKRkEpzXHxhIacxT2WAPneLiIEQJN8xAhSAuTOlL0hYlYSL7rlBfSH7e63ioGhC
72dIkmPjFxziL/xhzZACQ05s37kqvk8VcdFXbRHyWlUU6Jynk+fIWs6LUNEw31AN
aKWNs3PH9KE1ctaolqt6ZRMZcEJfy0TbttS7doXnTks+0I5yomUGQMOULZ/whwBL
jxDVATJ7yQyn+gIQnBAJTFHTVqwmRKdHoYYfqs5TVFeRWLEtKyxNnbFKgtLfz3Lf
bynxbs3b+adtMsimYyS0V0BoKzfstw93QzZRl3wfPQv996XPOsRkHQ==
=gNEu
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list