垃圾邮件”Scan from a Hewlett-Packard Officejet” spam / caskjfhlkaspsfg.ru

转个老外的帖子：http://blog.dynamoo.com/2012/03/scan-from-hewlett-packard-officejet.html

Another malicious spam, this time with an attachment containing obfuscated code leading to caskjfhlkaspsfg.ru.

 

 

Date: Thu, 1 Mar 2012 09:43:50 +0530

From: ARLYNEO93ESQUIVEL@gmail.com

Subject: Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #603320

Attachments: HP_Scan-27-499614.htm

 

Attached document was scanned and sent

 

to you using a Hewlett-Packard HP SmartJet 4931F.

 

 

 

Sent by: ARLYNE

Pages : 9

Attachment Type: .HTM [Internet Explorer/Mozilla Firefox]

 

The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:

 

50.31.1.105 (Steadfast Networks, US)

69.60.117.183 (Colopronto, US)

78.107.82.98 (Corbina Telecom, Russia)

83.238.208.55 (Netia Telekom, Poland)

95.156.232.102 (Optimate-server, Germany)

96.125.168.172 (Websitewelcome, US)

111.93.161.226 (Tata Teleservices, India)

125.19.103.198 (Bharti Infotel, India)

128.134.57.112 (Kwangun University, Korea)

173.203.51.174 (Slicehost, US)

184.106.200.65 (Slicehost, US)

184.106.237.210 (Slicehost, US)

190.81.107.70 (Telemax, Peru)

199.204.23.216 (ECSuite, US)

200.169.13.84 (Century Telecom Ltda, Brazil)

209.114.47.158 (Slicehost, US)

210.56.23.100 (Commission For Science And Technology, Pakistan)

210.109.108.210 (Sejong Telecom, Korea)

 

A bare list for copy-and-pasting:

50.31.1.105

69.60.117.183

78.107.82.98

83.238.208.55

95.156.232.102

96.125.168.172

111.93.161.226

125.19.103.198

128.134.57.112

173.203.51.174

184.106.200.65

184.106.237.210

190.81.107.70

199.204.23.216

200.169.13.84

209.114.47.158

210.56.23.100

210.109.108.210