[nsp-sec] Yet another variation on mailbox settings - now Google and 100mb.com

Bill Owens owens at nysernet.org
Fri May 14 11:50:50 EDT 2010 

(At the point where nobody cares about these things any more, just let me know and I'll stop forwarding them ;)

Today's version, three identical messages. One to a Google group and what appears to be a dead link, though the group is still live. The other two to 100mb.com, with two different malware binaries.

>Received: from RZCUFBHU (unknown [178.175.58.222])
> by adelie.nysernet.org (Postfix) with ESMTP id 9B30C590050	for
> <bill-tapr at owensfamily.org>; Fri, 14 May 2010 07:15:19 -0400 (EDT)
>Received: from [178.175.58.222] (port=1632 helo=deacompuf6b2b4)
> by mail.reikihealingpower.com with asmtp	id 3573B6-000878-87	for
> <bill-tapr at owensfamily.org>; Fri, 14 May 2010 13:15:15 +0100
>Date: Fri, 14 May 2010 13:15:15 +0100
>From: "owensfamily.org support" <arrivalss80 at reikihealingpower.com>
>Subject: owensfamily.org account notification
>To: <bill-tapr at owensfamily.org>
>Message-id: <07071448202F4EA0BF889500679F5395 at deacompuf6b2b4>
>
>Dear Customer,
>
>This e-mail was send by owensfamily.org to notify you that we have temporanly prevented access to your account.
>
>We have reasons to beleive that your account may have been accessed by someone else. Please run this file and Follow instructions:
>
>http://leanrocker.googlegroups.com/web/setup.zip
>
>(C) owensfamily.org

There's a link on the Google Groups page:
http://leanrocker.googlegroups.com/web/setup.zip?gda=Z2QDgTwAAADXBBIiBXKLDviAZvIdPhRlhq-WGKtdfzfutMIYuNpFvGcp0nYjGgMI1RgcD7tBrYz9Wm-ajmzVoAFUlE7c_fAt

Which goes nowhere. But that's the same format that was used in the Yahoo! links earlier in the week.


>Return-path: <vegaw at rogers-brown.com>
> obill at verizon.net; Fri, 14 May 2010 07:41:21 -0500 (CDT)
>Received: from 245.subnet222-124-109.speedy.telkom.net.id
> (unknown [222.124.109.245])	by adelie.nysernet.org (Postfix)
> with ESMTP id D6A50590050	for <bill-tapr at owensfamily.org>; Fri,
> 14 May 2010 08:41:15 -0400 (EDT)
>Received: from [222.124.109.245] (port=0264 helo=personaldg3fpc)
> by mail2.rogers-brown.com with asmtp	id 22869B-000081-03	for
> <bill-tapr at owensfamily.org>; Fri, 14 May 2010 19:41:10 +0700
>Date: Fri, 14 May 2010 19:41:10 +0700
>From: "owensfamily.org support" <support at owensfamily.org>
>Subject: owensfamily.org account notification
>To: <bill-tapr at owensfamily.org>
>Message-id: <6CD41114D463426F85D56435F06CD6C3 at personaldg3fpc>
>
>Dear Customer,
>
>This e-mail was send by owensfamily.org to notify you that we have temporanly prevented access to your account.
>
>We have reasons to beleive that your account may have been accessed by someone else. Please run this file and Follow instructions:
>
>http://leanrock.110mb.com/setup.zip
>
>(C) owensfamily.org

This link is live, and virustotal has a result for it:
http://www.virustotal.com/analisis/cb903e9655ab9e09b86341290c3818fc9b8f3bdec3533090b2691a650b365dd2-1273850445


>Received: from NXCUJUYL (unknown [59.93.245.143])
> by adelie.nysernet.org (Postfix) with ESMTP id A975B590050	for
> <bill-tapr at owensfamily.org>; Fri, 14 May 2010 08:59:41 -0400 (EDT)
>Received: from [59.93.245.143] (port=7031 helo=astocomputer)
> by relay.radiancy.com with asmtp	id 81784B-0002B3-83	for
> <bill-tapr at owensfamily.org>; Fri, 14 May 2010 18:29:31 +0530
>Date: Fri, 14 May 2010 18:29:31 +0530
>From: "owensfamily.org support" <nationalizesdk at radiancy.com>
>Subject: owensfamily.org account notification
>To: <bill-tapr at owensfamily.org>
>Message-id: <932C1FE9DD6D4FFCB4180AB81C7244CC at astocomputer>
>
>Dear Customer,
>
>This e-mail was send by owensfamily.org to notify you that we have temporanly prevented access to your account.
>
>We have reasons to beleive that your account may have been accessed by someone else. Please run this file and Follow instructions:
>
>http://leanrocks.110mb.com/setup.zip
>
>(C) owensfamily.org

Likewise, this link still works, and virustotal says that it's another binary:
http://www.virustotal.com/analisis/284aab60f3c86907ebb98da55a338148121c5cc4f0c2c4dcbf947e87bf17a0d8-1273850358

Both those 110mb.com hosts resolve to:

AS      | IP               | AS Name
32613   | 174.142.79.83    | IWEB-AS - iWeb Technologies Inc.

That ASN shows up quite a bit in my nsp-sec archives. . .

Bill.

More information about the nsp-security mailing list