SlideShare a Scribd company logo

Malware Spam February 2013

Brent Muir
Brent Muir

Results from my analysis of malicious emails from February 2013

Technology
1 of 5
Download to read offline
MALWARE SPAM – FEBRUARY 2013 Sent from Type - Criminal Sent from compromise Contains my Total # Type - Type - Type - Type - Type - Background Type - Malicious Malicious Attachment Attachment Attachment Type malformed email d known email address in Received Viagra Job Green Card Banking LinkedIn Check Other Link Attachment Type - .ZIP Type - .DOC - . PDF header contact "TO" field Feb-13 32 0 0 0 1 0 0 31 32 0- - - 31 1 4 •Malicious SPAM is defined by me as any unsolicited email that contains a potential information security risk. This does not include the usual marketing newsletter emails. Only those for which there is not a prior affiliation and that make it into my mail box.
FEBRUARY 2013 – DETAILS – PAGE 1 Sent from Sent from compr Link Malicious malforme omised Malicio Shorte Attachme Attachm d email known Contains my email address Date Type us Link ner Link Masking Link Host Link Risks nt ent Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) in "TO" field 24.99.8.124 - Unknown beautifulwindowselgin.com - Unknown 24.99.8.124 - USA (by yahoo.com comcast.net) 24.99.8.124 - Yes (98.139.245.181) - Yahoo! yahoo.com - USA (by (cscprotectsbrands.com ) Inc. yahoo.com) beautifulwindowselgin.com - 701 First Avenue beautifulwindowselgin.com - No subject y7mail.com 24.99.8.124 Yes (1and1-private- Sunnyvale CA 94089 USA (by 1and1.com) 1 2/02/2013 (blank just a link) Yes No No beautifulwindowselgin.com No Yes Yes (web164906.mail.bf1.yahoo.com) (comcast.net) registration.com) US perfora.net Yes 79.163.19.197 - Poland (by centertel.pl) No subject 79.163.19.197 79.163.19.197 (centertel.pl) yahoo.com - USA (by No (yahoo.com listed as 2 7/02/2013 (blank just a link) Yes Yes - basic amazonaws.com No Yes No yahoo.com (centertel.pl) - Poland yahoo.com) recipient) 183.83.50.39 - India (by No subject 183.83.50.39 - Yes (no Whois beamtele.com) No (tftinteriors.com listed 3 7/02/2013 (blank just a link) Yes Yes - basic amazonaws.com No Yes No yahoo.com 183.83.50.39 record) 183.83.50.39 - Unknown as recipient) 178.221.43.87 - Unknown 0x36.0353.0161.190 (54.235.113.190, amazonaws.com) 178.221.43.87 - Serbia (by allsolar.net - (IP telekom.rs) Yes - Yes - shortener and a allsolar.net redirects to 0x36.0353.0161.190 (resolves 178.221.43.87 - Yes (no Whois 64.95.64.218), allsolar.net - USA (by No (aol.com listed as 4 10/02/2013 Ecard Yes bit.ly redirect to amazonaws.com) No Yes No yahoo.com 178.221.43.87 record) BuyDomains.com smartname.com) recipient) The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 188.190.125.50 - Yes (no Whois 188.190.125.50 - Unknown record) The executable creates and/or modifies ingenium-gree.ru - Unkown as ingenium-gree.ru - 188.190.125.50 - Ukraine - by No subject registry entries. Whois record updated on Unknown (possibly "OOO infiumhost.com) 5 13/02/2013 (blank just a link) Yes No No ingenium-gree.ru No Yes No yahoo.com 188.190.125.50 28/02/2013 Climatrade" via naunet.ru) ingenium-gree.ru - Unkown No (no recipients listed) The executable modifies and destructs files which are not temporary. 41.137.74.188 - This prefix is Changes security settings of Internet used for mobile 3G Internet Explorer: users on the northern region of Morocco (via The executable creates and/or modifies marocconnect.com) No subject registry entries. 41.137.74.188 - Yes (no Whois N0 (yahoo.com listed as 6 13/02/2013 (blank just a link) Yes No Yes - basic amazonaws.com No Yes No yahoo.com 41.137.74.188 record) 41.137.74.188 - Unknown recipient) 188.190.127.65 - Unknown (data centre infiumhost.com?) 21pages.com - ( jiwei information techonogy co.,ltd 188.190.127.65 - Ukraine (via (21widnows.com) via China infiumhost.com) No subject 188.190.127.65 - Yes (no Whois Telecom 21pages.com - China (via 7 13/02/2013 (blank just a link) Yes No No 21pages.com No Yes No yahoo.com 188.190.127.65 record) www.bizcn.com) No 193.105.154.31 - Yes (no 193.105.154.31 - Unkown Whois record) (no Whois record) technord-gree.ru - Unkown as technord-gree.ru - 193.105.154.31 - Latvia (via city- Whois record updated on Unknown (possibly "OOO line.eu) 8 13/02/2013 Random poem Yes No No technord-gree.ru No Yes No yahoo.com 193.105.154.31 28/02/2013 Climatrade" via naunet.ru) technord-gree.ru - Unknown No
FEBRUARY 2013 – DETAILS – PAGE 2 Sent from Sent from compro Link malformed mised Maliciou Shorten Malicious Attachme email known Contains my email address in Date Type s Link er Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field 176.99.4.139 - Unkown (no 176.99.4.139 - Yes (no Whois Whois record) record) gree73.ru - Unknown (possibly 13/02/201 gree73.ru - Unkown as Whois "OOO Climatrade" via 176.99.4.139 - Russia (via globatel.ru) 9 3 Film Festival Yes No No gree73.ru No Yes No yahoo.com 176.99.4.139 record updated on 28/02/2013 naunet.ru) gree73.ru - Unknown No 14/02/201 200.76.23.158 - Yes (no Whois 200.76.23.158 - Mexico (via 10 3 Russian bride No - - - Yes richardhaughton.com 200.76.23.158 record) 200.76.23.158 - Unknown ALESTRA.NET.MX)+L8 Yes The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 193.106.31.178 - Yes (no Whois 193.106.31.178 - Unknown The executable creates and/or modifies registry record) gree16.ru - Unknown (possibly 193.106.31.178 - Ukraine (via 14/02/201 entries. gree16.ru - Unkown as Whois "OOO Climatrade" via citonline.com.ua) 11 3 Banking Yes No No gree16.ru No Yes No yahoo.com 193.106.31.178 record updated on 28/02/2013 naunet.ru) gree16.ru - Unknown No 91.210.102.108 - UK? (via uanetworking.com 91.210.102.108 - Yes (no Whois 91.210.102.108 - Unknown via net-art.cz) 14/02/201 record) sanqin55.com - XIN NET sanqin55.com - China (via 12 3 Happy New Year ??? Yes No No sanqin55.com No Yes No bellsouth.net (via yahoo.com) 91.210.102.108 sanqin55.com - No TECHNOLOGY CORPORATION xinnet.com) No 193.0.146.114 - Yes (no Whois 193.0.146.114 - Unkown (no 193.0.146.114 - Russia (via 14/02/201 No subject (blank just a record) Whois record) freestyleisp.net) 13 3 link) Yes No No web.986x.com No No No gmx.at 193.0.146.114 web.986x.com - web.986x.com - web.986x.com - No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 193.0.146.34 - Unkown (no Whois record) The executable creates and/or modifies registry 193.0.146.34 - Yes (no Whois lenbon.net - HICHINA 193.0.146.34 - Russia (via 15/02/201 No subject (blank just a entries. record) ZHICHENG TECHNOLOGY LTD freestyleisp.net) 14 3 link) Yes No No lenbon.net Yes yahoo.com 193.0.146.34 lenbon.net - No (via China Telecom) lenbon.net - China No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 79.96.180.143 - home.pl The executable creates and/or modifies registry (home.pl S.A) 79.96.180.143 16/02/201 entries. (v096663.home.net.p 79.96.180.143 - No pistoia.it - Regione Toscana 79.96.180.143 - Poland 15 3 Gibberish Yes No No (non-clickable) pistoia.it No Yes No sbcglobal.net l) pistoia.it - Yes (no Whois record) (regione.toscana.it) pistoia.it - Italy Yes 91.210.100.28 - Yes (no Whois 91.210.100.28 - UK (via record) 91.210.100.28 - Unkown (via uanetworking.com) 16/02/201 financebar.dk - Yes (no Whois uanetworking.com) financebar.dk - Denmark (via 16 3 Gibberish Yes No No financebar.dk/newsmedia.html No Yes No sbcglobal.net 91.210.100.28 record) financebar.dk - Unknown one.com) No
FEBRUARY 2013 – DETAILS – PAGE 3 Sent from Sent from compro Link malformed mised Maliciou Shortene Malicious Attachme email known Contains my email address in Date Type s Link r Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: The executable creates and/or modifies registry 41.44.51.188- Yes (no Whois 17/02/201 entries. record) 41.44.51.188 - Unknown 41.44.51.188 - Egypt (via TE Data) No (rediffmail.com listed as 17 3 Dr ? Yes No Yes (basic html) amazonaws.com No Yes No yahoo.com 41.44.51.188 recipient) 46.148.30.189 - Ukraine (via 46.148.30.189 - Yes (no Whois 46.148.30.189 - Unknown citonline.com.ua) 17/02/201 Random text scraped record) gassafetrades.co.uk - UK (via gassafetrades.co.uk - USA (via 18 3 from book? Yes No No gassafetrades.co.uk No Yes No yahoo.com 46.148.30.189 gassafetrades.co.uk - No GoDaddy.com) hostrocket.com) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.103.136 - Yes (no Whois 91.210.103.136 - UK (via The executable creates and/or modifies registry record) 91.210.103.136 - Unknown uanetworking.com) 18/02/201 entries. .saihomecreations.com - Yes .saihomecreations.com - .saihomecreations.com - USA (via 19 3 Blank Yes No No saihomecreations.com No Yes No rocketmail.com (via yahoo.com) 91.210.103.136 (domains by proxy - GoDaddy) Unknown (via GoDaddy) New Dream Network, LLC) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 193.106.31.55 - Ukraine (via The executable creates and/or modifies registry 193.106.31.55 - Yes (no Whois 193.106.31.55 - Unknown citonline.com.ua) 19/02/201 entries. record) fldp.info - (personal record in fldp.info - USA (via New Dream 20 3 Gibberish Yes No No fldp.info No Yes No yahoo.com 193.106.31.55 fldp.info - No China) Network, LLC) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.102.24 - UK (via The executable creates and/or modifies registry 91.210.102.24 - Yes (no Whois 91.210.102.24 - Unknown uanetworking.com) 19/02/201 entries. record) lbh-lsm.org (personal record in lbh-lsm.org - Indonesia (via 21 3 Gibberish Yes No No lbh-lsm.org No Yes No rocketmail.com (via yahoo.com) 91.210.102.24 lbh-lsm.org - No Jakarta) jagoanhosting.com) No 91.210.103.17 - UK (via 91.210.103.17 - Yes (no Whois 91.210.103.17 - Unkown uanetworking.com) 21/02/201 record) fingtrack.com - Fingtrack Co.,Ltd. fingtrack.com - Thailand (via 22 3 Blank Yes No No fingtrack.com No Yes No yahoo.com 91.210.103.17 fingtrack.com - No (Thailand) loxinfo.co.th ) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: boscgi1201.eigbox.net - USA (via The executable creates and/or modifies registry boscgi1201.eigbox.net - Tucows cogentco.com) 22/02/201 entries. boscgi1201.eigbox.ne boscgi1201.eigbox.net - No findmylamp.com - Edson Evers findmylamp.com - Germany (via 23 3 Important message Yes No Yes - basic findmylamp.com No Yes No facebook.com.au t findmylamp.com - No LLP (blueplex.com) oneandone.net) Yes 91.210.102.123 - Unknown 91.210.102.123 - UK (via 91.210.102.123 - Yes (no Whois genese-ressources.com - SARL uanetworking.com) 22/02/201 record) Genèse des Ressources (France genese-ressources.com - France (via 24 3 Blank Yes No No genese-ressources.com No Yes No yahoo.com 91.210.102.123 genese-ressources.com - No via gandi.net) ovh.com) No
FEBRUARY 2013 – DETAILS – PAGE 4 Sent from Sent from compro Link malformed mised Maliciou Shorten Malicious Attachme email known Contains my email address in Date Type s Link er Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field 91.210.100.126 - UK (via 91.210.100.126 - Yes (no Whois 91.210.100.126 - Unknown uanetworking.com) 22/02/201 record) fingtrack.com - Thailand (via fingtrack.com - Thailand (via 25 3 Blank Yes No No fingtrack.com No Yes No yahoo.com (yahoo.co.uk) 91.210.100.126 fingtrack.com - No loxinfo.co.th ) loxinfo.co.th ) No 23/02/201 95.42.50.85 - No 95.42.50.85 - BTC-NET Ltd. 95.42.50.85 - Bulgaria (via btc-net.bg) No (tpg.com.au listed as 26 3 Blank Yes No Yes - basic amazonaws.com No Yes No yahoo.com 95.42.50.85 recipient) The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.101.66 - UK (via 91.210.101.66 - Yes (no Whois uanetworking.com) The executable creates and/or modifies registry record) flavio-cavaller.com - USA (via New 23/02/201 entries. flavio-cavaller.com - Yes 91.210.101.66 - Unknown Dream Network, LLC - 27 3 Blank Yes No No flavio-cavaller.com No Yes No yahoo.com 91.210.101.66 (proxy.dreamhost.com) flavio-cavaller.com - Unknown dreamhost.com No 91.210.101.56 - UK (via 91.210.101.56 - Yes (no Whois 91.210.101.56 - Unknown uanetworking.com) 23/02/201 record) fingtrack.com - Thailand (via fingtrack.com - Thailand (via 28 3 Blank Yes No No fingtrack.com No Yes No yahoo.com 91.210.101.56 fingtrack.com - No loxinfo.co.th ) loxinfo.co.th ) No The executable modifies and destructs files which are not temporary. 91.210.103.108 - UK (via 91.210.103.108 - Unknown uanetworking.com) Changes security settings of Internet Explorer: firstspaceglobal.com - First firstspaceglobal.com - USA (via New 91.210.103.108 - Yes (no Whois Space Ltd Dream Network, LLC - The executable creates and/or modifies registry record) (facilitymedia.com) dreamhost.com) 24/02/201 entries. firstspaceglobal.com - No goboint.com - personal record in goboint.com - USA (via 29 3 Gibberish Yes (2) No No firstspaceglobal.com & goboint.com No Yes No gmx.at 91.210.103.108 goboint.com - No China wiredtree.com) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.101.37 - UK (via The executable creates and/or modifies registry 91.210.101.37 - Yes (no Whois 91.210.101.37 - Unknown uanetworking.com) 25/02/201 entries. record) ascensionparishbangalore.org - ascensionparishbangalore.org - USA 30 3 Gibberish Yes No No ascensionparishbangalore.org No Yes No yahoo.com 91.210.101.37 ascensionparishbangalore.org - No Relay Admedia (Bangalore) (via dimenoc.com) No 26/02/201 121.97.110.43 - BayanTel 121.97.110.43 - Phillipines (via No (rediffmail.com listed as 31 3 Dating website Yes No Yes - basic amazonaws.com No Yes No yahoo.com 121.97.110.43 121.97.110.43 - No Broadband DSL (bayan.com.ph) skyinet.net) recipient) The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 189.220.127.202 - TV CABLE S.A. 189.220.127.202 - Mexico (via The executable creates and/or modifies registry 189.220.127.202 - No DE C.V. CABLEONLINE.COM.MX) 28/02/201 Yes - Yes - shortener and a entries. 0102.0346.0263.127 - Yes (no (Mexico) 0102.0346.0263.127 - USA (via 32 3 Ecard Yes bit.ly redirect answeryourquestion.com redirects to 0102.0346.0263.127 No Yes No yahoo.com 189.220.127.202 Whois record) 0102.0346.0263.127 - Unknown oxeo.com) No (yahoo.es listed as recipient) TOTAL 31/32 2/32 2/32 0 31/32 1 4/32

Recommended

Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 

Recommended

Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security IssuesBrent Muir
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersBrent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

More Related Content

More from Brent Muir

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security IssuesBrent Muir
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersBrent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 

More from Brent Muir (8)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 

Recently uploaded

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Malware Spam February 2013

  • 1. MALWARE SPAM – FEBRUARY 2013 Sent from Type - Criminal Sent from compromise Contains my Total # Type - Type - Type - Type - Type - Background Type - Malicious Malicious Attachment Attachment Attachment Type malformed email d known email address in Received Viagra Job Green Card Banking LinkedIn Check Other Link Attachment Type - .ZIP Type - .DOC - . PDF header contact "TO" field Feb-13 32 0 0 0 1 0 0 31 32 0- - - 31 1 4 •Malicious SPAM is defined by me as any unsolicited email that contains a potential information security risk. This does not include the usual marketing newsletter emails. Only those for which there is not a prior affiliation and that make it into my mail box.
  • 2. FEBRUARY 2013 – DETAILS – PAGE 1 Sent from Sent from compr Link Malicious malforme omised Malicio Shorte Attachme Attachm d email known Contains my email address Date Type us Link ner Link Masking Link Host Link Risks nt ent Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) in "TO" field 24.99.8.124 - Unknown beautifulwindowselgin.com - Unknown 24.99.8.124 - USA (by yahoo.com comcast.net) 24.99.8.124 - Yes (98.139.245.181) - Yahoo! yahoo.com - USA (by (cscprotectsbrands.com ) Inc. yahoo.com) beautifulwindowselgin.com - 701 First Avenue beautifulwindowselgin.com - No subject y7mail.com 24.99.8.124 Yes (1and1-private- Sunnyvale CA 94089 USA (by 1and1.com) 1 2/02/2013 (blank just a link) Yes No No beautifulwindowselgin.com No Yes Yes (web164906.mail.bf1.yahoo.com) (comcast.net) registration.com) US perfora.net Yes 79.163.19.197 - Poland (by centertel.pl) No subject 79.163.19.197 79.163.19.197 (centertel.pl) yahoo.com - USA (by No (yahoo.com listed as 2 7/02/2013 (blank just a link) Yes Yes - basic amazonaws.com No Yes No yahoo.com (centertel.pl) - Poland yahoo.com) recipient) 183.83.50.39 - India (by No subject 183.83.50.39 - Yes (no Whois beamtele.com) No (tftinteriors.com listed 3 7/02/2013 (blank just a link) Yes Yes - basic amazonaws.com No Yes No yahoo.com 183.83.50.39 record) 183.83.50.39 - Unknown as recipient) 178.221.43.87 - Unknown 0x36.0353.0161.190 (54.235.113.190, amazonaws.com) 178.221.43.87 - Serbia (by allsolar.net - (IP telekom.rs) Yes - Yes - shortener and a allsolar.net redirects to 0x36.0353.0161.190 (resolves 178.221.43.87 - Yes (no Whois 64.95.64.218), allsolar.net - USA (by No (aol.com listed as 4 10/02/2013 Ecard Yes bit.ly redirect to amazonaws.com) No Yes No yahoo.com 178.221.43.87 record) BuyDomains.com smartname.com) recipient) The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 188.190.125.50 - Yes (no Whois 188.190.125.50 - Unknown record) The executable creates and/or modifies ingenium-gree.ru - Unkown as ingenium-gree.ru - 188.190.125.50 - Ukraine - by No subject registry entries. Whois record updated on Unknown (possibly "OOO infiumhost.com) 5 13/02/2013 (blank just a link) Yes No No ingenium-gree.ru No Yes No yahoo.com 188.190.125.50 28/02/2013 Climatrade" via naunet.ru) ingenium-gree.ru - Unkown No (no recipients listed) The executable modifies and destructs files which are not temporary. 41.137.74.188 - This prefix is Changes security settings of Internet used for mobile 3G Internet Explorer: users on the northern region of Morocco (via The executable creates and/or modifies marocconnect.com) No subject registry entries. 41.137.74.188 - Yes (no Whois N0 (yahoo.com listed as 6 13/02/2013 (blank just a link) Yes No Yes - basic amazonaws.com No Yes No yahoo.com 41.137.74.188 record) 41.137.74.188 - Unknown recipient) 188.190.127.65 - Unknown (data centre infiumhost.com?) 21pages.com - ( jiwei information techonogy co.,ltd 188.190.127.65 - Ukraine (via (21widnows.com) via China infiumhost.com) No subject 188.190.127.65 - Yes (no Whois Telecom 21pages.com - China (via 7 13/02/2013 (blank just a link) Yes No No 21pages.com No Yes No yahoo.com 188.190.127.65 record) www.bizcn.com) No 193.105.154.31 - Yes (no 193.105.154.31 - Unkown Whois record) (no Whois record) technord-gree.ru - Unkown as technord-gree.ru - 193.105.154.31 - Latvia (via city- Whois record updated on Unknown (possibly "OOO line.eu) 8 13/02/2013 Random poem Yes No No technord-gree.ru No Yes No yahoo.com 193.105.154.31 28/02/2013 Climatrade" via naunet.ru) technord-gree.ru - Unknown No
  • 3. FEBRUARY 2013 – DETAILS – PAGE 2 Sent from Sent from compro Link malformed mised Maliciou Shorten Malicious Attachme email known Contains my email address in Date Type s Link er Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field 176.99.4.139 - Unkown (no 176.99.4.139 - Yes (no Whois Whois record) record) gree73.ru - Unknown (possibly 13/02/201 gree73.ru - Unkown as Whois "OOO Climatrade" via 176.99.4.139 - Russia (via globatel.ru) 9 3 Film Festival Yes No No gree73.ru No Yes No yahoo.com 176.99.4.139 record updated on 28/02/2013 naunet.ru) gree73.ru - Unknown No 14/02/201 200.76.23.158 - Yes (no Whois 200.76.23.158 - Mexico (via 10 3 Russian bride No - - - Yes richardhaughton.com 200.76.23.158 record) 200.76.23.158 - Unknown ALESTRA.NET.MX)+L8 Yes The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 193.106.31.178 - Yes (no Whois 193.106.31.178 - Unknown The executable creates and/or modifies registry record) gree16.ru - Unknown (possibly 193.106.31.178 - Ukraine (via 14/02/201 entries. gree16.ru - Unkown as Whois "OOO Climatrade" via citonline.com.ua) 11 3 Banking Yes No No gree16.ru No Yes No yahoo.com 193.106.31.178 record updated on 28/02/2013 naunet.ru) gree16.ru - Unknown No 91.210.102.108 - UK? (via uanetworking.com 91.210.102.108 - Yes (no Whois 91.210.102.108 - Unknown via net-art.cz) 14/02/201 record) sanqin55.com - XIN NET sanqin55.com - China (via 12 3 Happy New Year ??? Yes No No sanqin55.com No Yes No bellsouth.net (via yahoo.com) 91.210.102.108 sanqin55.com - No TECHNOLOGY CORPORATION xinnet.com) No 193.0.146.114 - Yes (no Whois 193.0.146.114 - Unkown (no 193.0.146.114 - Russia (via 14/02/201 No subject (blank just a record) Whois record) freestyleisp.net) 13 3 link) Yes No No web.986x.com No No No gmx.at 193.0.146.114 web.986x.com - web.986x.com - web.986x.com - No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 193.0.146.34 - Unkown (no Whois record) The executable creates and/or modifies registry 193.0.146.34 - Yes (no Whois lenbon.net - HICHINA 193.0.146.34 - Russia (via 15/02/201 No subject (blank just a entries. record) ZHICHENG TECHNOLOGY LTD freestyleisp.net) 14 3 link) Yes No No lenbon.net Yes yahoo.com 193.0.146.34 lenbon.net - No (via China Telecom) lenbon.net - China No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 79.96.180.143 - home.pl The executable creates and/or modifies registry (home.pl S.A) 79.96.180.143 16/02/201 entries. (v096663.home.net.p 79.96.180.143 - No pistoia.it - Regione Toscana 79.96.180.143 - Poland 15 3 Gibberish Yes No No (non-clickable) pistoia.it No Yes No sbcglobal.net l) pistoia.it - Yes (no Whois record) (regione.toscana.it) pistoia.it - Italy Yes 91.210.100.28 - Yes (no Whois 91.210.100.28 - UK (via record) 91.210.100.28 - Unkown (via uanetworking.com) 16/02/201 financebar.dk - Yes (no Whois uanetworking.com) financebar.dk - Denmark (via 16 3 Gibberish Yes No No financebar.dk/newsmedia.html No Yes No sbcglobal.net 91.210.100.28 record) financebar.dk - Unknown one.com) No
  • 4. FEBRUARY 2013 – DETAILS – PAGE 3 Sent from Sent from compro Link malformed mised Maliciou Shortene Malicious Attachme email known Contains my email address in Date Type s Link r Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: The executable creates and/or modifies registry 41.44.51.188- Yes (no Whois 17/02/201 entries. record) 41.44.51.188 - Unknown 41.44.51.188 - Egypt (via TE Data) No (rediffmail.com listed as 17 3 Dr ? Yes No Yes (basic html) amazonaws.com No Yes No yahoo.com 41.44.51.188 recipient) 46.148.30.189 - Ukraine (via 46.148.30.189 - Yes (no Whois 46.148.30.189 - Unknown citonline.com.ua) 17/02/201 Random text scraped record) gassafetrades.co.uk - UK (via gassafetrades.co.uk - USA (via 18 3 from book? Yes No No gassafetrades.co.uk No Yes No yahoo.com 46.148.30.189 gassafetrades.co.uk - No GoDaddy.com) hostrocket.com) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.103.136 - Yes (no Whois 91.210.103.136 - UK (via The executable creates and/or modifies registry record) 91.210.103.136 - Unknown uanetworking.com) 18/02/201 entries. .saihomecreations.com - Yes .saihomecreations.com - .saihomecreations.com - USA (via 19 3 Blank Yes No No saihomecreations.com No Yes No rocketmail.com (via yahoo.com) 91.210.103.136 (domains by proxy - GoDaddy) Unknown (via GoDaddy) New Dream Network, LLC) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 193.106.31.55 - Ukraine (via The executable creates and/or modifies registry 193.106.31.55 - Yes (no Whois 193.106.31.55 - Unknown citonline.com.ua) 19/02/201 entries. record) fldp.info - (personal record in fldp.info - USA (via New Dream 20 3 Gibberish Yes No No fldp.info No Yes No yahoo.com 193.106.31.55 fldp.info - No China) Network, LLC) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.102.24 - UK (via The executable creates and/or modifies registry 91.210.102.24 - Yes (no Whois 91.210.102.24 - Unknown uanetworking.com) 19/02/201 entries. record) lbh-lsm.org (personal record in lbh-lsm.org - Indonesia (via 21 3 Gibberish Yes No No lbh-lsm.org No Yes No rocketmail.com (via yahoo.com) 91.210.102.24 lbh-lsm.org - No Jakarta) jagoanhosting.com) No 91.210.103.17 - UK (via 91.210.103.17 - Yes (no Whois 91.210.103.17 - Unkown uanetworking.com) 21/02/201 record) fingtrack.com - Fingtrack Co.,Ltd. fingtrack.com - Thailand (via 22 3 Blank Yes No No fingtrack.com No Yes No yahoo.com 91.210.103.17 fingtrack.com - No (Thailand) loxinfo.co.th ) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: boscgi1201.eigbox.net - USA (via The executable creates and/or modifies registry boscgi1201.eigbox.net - Tucows cogentco.com) 22/02/201 entries. boscgi1201.eigbox.ne boscgi1201.eigbox.net - No findmylamp.com - Edson Evers findmylamp.com - Germany (via 23 3 Important message Yes No Yes - basic findmylamp.com No Yes No facebook.com.au t findmylamp.com - No LLP (blueplex.com) oneandone.net) Yes 91.210.102.123 - Unknown 91.210.102.123 - UK (via 91.210.102.123 - Yes (no Whois genese-ressources.com - SARL uanetworking.com) 22/02/201 record) Genèse des Ressources (France genese-ressources.com - France (via 24 3 Blank Yes No No genese-ressources.com No Yes No yahoo.com 91.210.102.123 genese-ressources.com - No via gandi.net) ovh.com) No
  • 5. FEBRUARY 2013 – DETAILS – PAGE 4 Sent from Sent from compro Link malformed mised Maliciou Shorten Malicious Attachme email known Contains my email address in Date Type s Link er Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field 91.210.100.126 - UK (via 91.210.100.126 - Yes (no Whois 91.210.100.126 - Unknown uanetworking.com) 22/02/201 record) fingtrack.com - Thailand (via fingtrack.com - Thailand (via 25 3 Blank Yes No No fingtrack.com No Yes No yahoo.com (yahoo.co.uk) 91.210.100.126 fingtrack.com - No loxinfo.co.th ) loxinfo.co.th ) No 23/02/201 95.42.50.85 - No 95.42.50.85 - BTC-NET Ltd. 95.42.50.85 - Bulgaria (via btc-net.bg) No (tpg.com.au listed as 26 3 Blank Yes No Yes - basic amazonaws.com No Yes No yahoo.com 95.42.50.85 recipient) The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.101.66 - UK (via 91.210.101.66 - Yes (no Whois uanetworking.com) The executable creates and/or modifies registry record) flavio-cavaller.com - USA (via New 23/02/201 entries. flavio-cavaller.com - Yes 91.210.101.66 - Unknown Dream Network, LLC - 27 3 Blank Yes No No flavio-cavaller.com No Yes No yahoo.com 91.210.101.66 (proxy.dreamhost.com) flavio-cavaller.com - Unknown dreamhost.com No 91.210.101.56 - UK (via 91.210.101.56 - Yes (no Whois 91.210.101.56 - Unknown uanetworking.com) 23/02/201 record) fingtrack.com - Thailand (via fingtrack.com - Thailand (via 28 3 Blank Yes No No fingtrack.com No Yes No yahoo.com 91.210.101.56 fingtrack.com - No loxinfo.co.th ) loxinfo.co.th ) No The executable modifies and destructs files which are not temporary. 91.210.103.108 - UK (via 91.210.103.108 - Unknown uanetworking.com) Changes security settings of Internet Explorer: firstspaceglobal.com - First firstspaceglobal.com - USA (via New 91.210.103.108 - Yes (no Whois Space Ltd Dream Network, LLC - The executable creates and/or modifies registry record) (facilitymedia.com) dreamhost.com) 24/02/201 entries. firstspaceglobal.com - No goboint.com - personal record in goboint.com - USA (via 29 3 Gibberish Yes (2) No No firstspaceglobal.com & goboint.com No Yes No gmx.at 91.210.103.108 goboint.com - No China wiredtree.com) No The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 91.210.101.37 - UK (via The executable creates and/or modifies registry 91.210.101.37 - Yes (no Whois 91.210.101.37 - Unknown uanetworking.com) 25/02/201 entries. record) ascensionparishbangalore.org - ascensionparishbangalore.org - USA 30 3 Gibberish Yes No No ascensionparishbangalore.org No Yes No yahoo.com 91.210.101.37 ascensionparishbangalore.org - No Relay Admedia (Bangalore) (via dimenoc.com) No 26/02/201 121.97.110.43 - BayanTel 121.97.110.43 - Phillipines (via No (rediffmail.com listed as 31 3 Dating website Yes No Yes - basic amazonaws.com No Yes No yahoo.com 121.97.110.43 121.97.110.43 - No Broadband DSL (bayan.com.ph) skyinet.net) recipient) The executable modifies and destructs files which are not temporary. Changes security settings of Internet Explorer: 189.220.127.202 - TV CABLE S.A. 189.220.127.202 - Mexico (via The executable creates and/or modifies registry 189.220.127.202 - No DE C.V. CABLEONLINE.COM.MX) 28/02/201 Yes - Yes - shortener and a entries. 0102.0346.0263.127 - Yes (no (Mexico) 0102.0346.0263.127 - USA (via 32 3 Ecard Yes bit.ly redirect answeryourquestion.com redirects to 0102.0346.0263.127 No Yes No yahoo.com 189.220.127.202 Whois record) 0102.0346.0263.127 - Unknown oxeo.com) No (yahoo.es listed as recipient) TOTAL 31/32 2/32 2/32 0 31/32 1 4/32