[nsp-sec] new maleware distribution sites (AS25532, AS5389, AS25074, AS38935)

Mike Tancsa mike at sentex.net
Fri Mar 18 11:45:57 EDT 2011 

This started flooding in as part of some malware phish scam a few hrs ago.


AS      | IP               | AS Name
25532   | 90.156.201.87    | MASTERHOST-AS CJSC _MasterHost_
53589   | 199.16.130.20    | PLANETHOSTER-8 - PlanetHoster
25074   | 83.220.144.2     | INETBONE-AS INET-People Provider Services


The Maleware urls are below. AV scanners dont seem to say anything about
the files.

The phishing emails came from

Received: from ns1.fastweb.ro (ns1.fastweb.ro [195.254.135.2])
        by smtp1.sentex.ca (8.14.4/8.14.4) with ESMTP id p2ICFteu070542
        for <belair at sentex.net>; Fri, 18 Mar 2011 08:15:59 -0400 (EDT)
        (envelope-from apache at ws01.fastweb.ro)

AS      | IP               | AS Name
38935   | 195.254.135.2    | FASTWEB-RO-AS Fastweb SRL


httpx: //novolug.ru/e107_files/cache/mail.scr
httpx: //novolug.ru/e107_files/cache/mail.scr
httpx: //www.ipa-brabant.be/mail.scr
httpx: //www.thelope.de/proptax.zip

% host novolug.ru
novolug.ru has address 90.156.201.87
novolug.ru has address 90.156.201.76
novolug.ru has address 90.156.201.102
novolug.ru has address 90.156.201.24

% host www.thelope.de
www.thelope.de has address 83.220.144.2

% host -ta  www.ipa-brabant.be
www.ipa-brabant.be is an alias for ipa-brabant.be.
ipa-brabant.be has address 199.16.130.20


% sha256 mail.scr
SHA256 (mail.scr) =
db9195a856de07108103867d8084a6ea3c44d2dec188e5abec71834f6004570f
% file mail.scr
mail.scr: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
146944 bytes

% sha256 proptax.zip
SHA256 (proptax.zip) =
8b42e67623c15b8dd3571e28ea24f9dee0667df9c82f8e0892d7269c0fc2a098

% unzip -l proptax.zip
Archive:  proptax.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   133632  03-19-2011 04:40   mail.scr
---------                     -------
   133632                     1 file

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the nsp-security mailing list