Silent noise - about spam, trojans and other nasty stuff

Spam with subject line: "IMPORTANT: Your VISA VbV Password Has Expired!".
Contains links to botnet hosted domain herwsx.com, or more correct, subdomains.

The botnet has earlier (a few days ago) been used in connection with phished/hacked/"social engineered" MSN-accounts which ulitmately led to subdomains of
woooh-i-got-your-pics.com, eg http://zikay.woooh-i-got-your-pics.com/ (now dead).

Maybe more later, but here are some of the IPs, there are of course a lot more.

herwsx.com	 A 	24.7.18.28
herwsx.com	 A 	24.8.113.160
herwsx.com	 A 	24.11.157.140

First a screenshot from the phish site at
h||p://ww4.visa.com.82siddefault.com/creditcards/security/confirm
(Click on it for a bigger one)

And here is a screenshot of the location bar from the screenshot above:

It started with a phish:

Phishing has become so usual nowadays, it is almost boring.
I want more.
This one was obviously on a compromised domain/server so I started looking around.
The link given in the spam was not the one I ended up at, so there was a redirector involved.

I started there and this one showed up (click on the image for a bigger one):

(First written December 02, last updated December 05)

Now redirecting to "European Pharmacy" sites (aka Canadian Pharmacy). And set up for some phishing.

0secure.bz, 27go.co.uk, 42cert.asia, 42snmp.name, 51apps.gs, 51exec.gs, 63mode.me, 6query.us, 77temp.eu, 79tmp.ws 9batch.tk, ide92.ws, aspx37.me, ioctl2.jp, ole55.us, page65.tk, site60.co.uk

rollick@ / pugilism@

When visiting e.g. ole55. us I get redirected to leastcountry.com via the HTTP-header:
Location: http://leastcountry.com

Screenshot (click on it for a bigger one):

(First written November 25, updated November 26, 27 and 28)

Spotted so far:

0kernel.be, 48conf.name, 49pid.name, 6locate.cc, 73base.co.uk, 79tmp.ws, 7manage.gs, 81id.co.uk, 8ntdll.mobi, 91ini.eu, admin7.cc, bin54.in, crypt2.us, crypt5.eu, ddk25.gs, diag79.in, dns75.us, exec18.jp, folder8.name, icmp63.asia, kernel4.jp, mode78.tv, srvid2.co.uk, tid28.jp, token4.asia (set up on the botnet, but not found elsewhere), xml58.tk, xml90.tk, xml92.ca (already suspended?)

holdall@ /worsteder@ / reservam@

Interesting to come across relatively fresh RFI attempts resulting in phishing setups:

(Click on the picture for a bigger one)

This time apparently "Sorin" was and still is setting it up.
Or is it the Indonesians?
I don't care, both Indonesia and Romania are still shitty netcitizens.

A nice backdoor/Trojan included in the package too.