early 2013 Postal-Receipt.zip malware campaign

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

early 2013 Postal-Receipt.zip malware campaign

Postby NotBuyingIt » Mon Mar 04, 2013 1:29 pm

Listed below are various URLs that download a deceptive file Postal-Receipt.zip (or an earlier version without the hyphen). Some of the URLs have already been disabled or removed from their servers. Most of the URLs were recently reported by Joe Wein as possible phishing scams, probably because they are typically found in spam email that fraudulently claims to be from either "FedEx" or another shipping company. Only a few antivirus programs currently flag the most recent version of the ZIP file as dangerous or suspicious.

The malicious webpages are coded to reply with HTTP 404 to IP addresses known to be used by many badware reporting sources including PhishTank (example) and by all of the free anonymous proxy servers that I've been using to confirm the ZIP file.

I'd like to continue following the campaign if I could find a few more free anonymous proxy servers that would still work. Suggestions for some?

Code: Select all
www.ais-integral.com/tmp/.tsnwkk.php?receipt=ss00_323
www.antiquescans.com/tmp/.nie6rw.php?receipt=ss00_323
www.3mpromocionales.com/tmp/.vf2ozp.php?receipt=ss00_323
www.1000sabor.com/tmp/.uxcpkn.php?receipt=ss00_323
racinal.com/wp-content/plugins/akismet/mirror.php?receipt=ss00_323
www.xxl-vids.net/components/.qv8jts.php?receipt=ss00_323
www.allergopret.com/tmp/.nas3cs.php?receipt=ss00_323
monterolaw.com/wp-content/plugins/mirror.php?receipt=ss00_323
www.670amkirn.com/tmp/.pyv8yn.php?receipt=802_22961034
www.6440autoparts.com/tmp/.hsnlut.php?receipt=ss00_323
www.abicomp.com/tmp/.gc4sm1.php?receipt=755_222730602
www.abundantharvestentertainment.com/tmp/.gyn05c.php?receipt=802_247849075
www.abh-formation.com/tmp/.r1rdst.php?receipt=ss00_323  HTTP 403 02/25
www.abh-creation.com/tmp/.wvpf1y.php?receipt=802_314284555  HTTP 500 02/25
www.999medical.com/tmp/.qctk10.php?receipt=801_228497914  HTTP 403 02/25
jim-schulte.com/wp-content/plugins/akismet/mirror.php?receipt=801_306114090
www.actsingrovecity.com/tmp/.utpyta.php?receipt=ss00_323  HTTP 404 02/25
www.3dwebsites.biz/tmp/.bmbfmp.php?receipt=755_401801737
www.acumpagnia.com/tmp/.smlzd4.php?receipt=ss00_323
www.advancedchiroperu.com/tmp/.dtrutf.php?receipt=798_953313273
www.ado-metal.com/tmp/.tfv3rq.php?receipt=801_449565167  HTTP 404 02/25
www.3mpromocionales.com/tmp/.vf2ozp.php?receipt=ss00_323
www.acantocountryhouse.com/tmp/.n3esk5.php?receipt=801_515588140
www.ais-integral.com/tmp/.tsnwkk.php?receipt=ss00_323
www.apply4banking.com/tmp/.ectpug.php?receipt=801_158505840
www.aphroditehairextensions.com/tmp/.qva8bh.php?receipt=797_746581174
www.antiquescans.com/tmp/.nie6rw.php?receipt=ss00_323
www.apartamentoslahoguera.com/tmp/.xokh0u.php?receipt=ss00_323  HTTP 403 02/27
www.woodmoorwater.com/components/.hlmugt.php?receipt=ss00_323
www.xn--72c0aeoda2d5cxcdje4b6knf9bg.com/components/.mnm7dc.php?receipt=ss00_323
www.woold.info/components/.qbtrif.php?receipt=ss00_323
www.worldclassdjs.com/components/.s2vqkj.php?receipt=801_301474006
www.wrecker.com/components/.bcgch4.php?receipt=798_206096916
www.wrap-itpackaging.com/components/.gui0lu.php?receipt=755_321050490
www.allergopret-protect.com/tmp/.va0g8q.php?receipt=ss00_323
www.aitype.com/tmp/.muwuni.php?receipt=782_103461792
www.alaricbond.com/tmp/.crogvu.php?receipt=ss00_323
www.x-cite.com/components/.52qixq.php?receipt=801_444066593
www.wwwtraining.net/components/.bxbrh6.php?receipt=801_489531283
www.xn--parkettbrse-yfb.info/components/.fi6fn4.php?receipt=802_237032035
www.xn--ictt82f6rat86b.com/components/.ipyxme.php?receipt=782_35836341
www.woongids.info/components/.tsi9wz.php?receipt=ss00_323
www.wysowa.info/components/.cwpig9.php?receipt=755_255059433
www.wordoftruthchurch.org/components/.clv8ee.php?receipt=ss00_323
www.xarxaemprenedora.org/components/.nkgzbb.php?receipt=755_196406497
www.xarxaemprenedora.org/components/.nkgzbb.php?receipt=ss00_323
www.wslupsku.net/components/.i5e1qx.php?receipt=ss00_323
www.xotix-entertainment.com/components/.hlhkjp.php?receipt=ss00_323
www.xuxutattoo.com/components/.wspqku.php?receipt=ss00_323
www.xaviercurt.com/components/.tnkrox.php?receipt=ss00_323
www.yk-agata.com/components/.igwf2q.php?receipt=836_333433039
www.yellowbirdartsgallery.com/components/.l8wxpb.php?receipt=838_428255783
www.yeisk.net/components/.gbhajv.php?receipt=ss00_323
www.yelsan.com/components/.jq60kj.php?receipt=ss00_323
www.yellowtrip.com/components/.zdefc6.php?receipt=ss00_323
www.yahyalihali.com/components/.ommhiu.php?receipt=839_24293032
www.yellowboxcom.com/components/.ovrfjb.php?receipt=838_269629331
www.yasminjordy.com/components/.pb4biy.php?receipt=ss00_323
www.yacht-finanz.com/components/.g56mfs.php?receipt=838_370694313
www.y3play.net/components/.ruq1hk.php?receipt=ss00_323
www.ya-mama.org/components/.o9cxyj.php?receipt=ss00_323
www.youreyecare.net/components/.sl3skx.php?receipt=ss00_323
www.your-feet.com/components/.w95suo.php?receipt=ss00_323
www.yogakshemamblr.org/components/.qxfsrb.php?receipt=ss00_323
www.ymcatrivalley.org/components/.zaayqp.php?receipt=ss00_323
www.youngscientistsuniversity.org/components/.ebdou2.php?receipt=ss00_323
www.ymca-cc.org/components/.mswldu.php?receipt=831_54995907
 www.ylokk.net/components/.kfapkn.php?receipt=838_581015573
www.yoooga.net/components/.ekom48.php?receipt=830_1907155359
www.ydbconsultant.com/components/.g06wif.php?receipt=ss00_323
www.yoncaloji.com/components/.tx4xlw.php?receipt=841_204595929
www.your-choice-realty.com/components/.ru3gos.php?receipt=ss00_323
www.forealliance.org/wp-content/plugins/akismet/mirror.php?receipt=ss00_323
www.yosji.com/components/.jjo7uq.php?receipt=839_107011168
www.z-list.com/components/.nwzegp.php?receipt=838_251205874
www.yrbestbuy.com/components/.hcrmsh.php?receipt=833_542269220
www.yukselisi.com/components/.gqe608.php?receipt=836_481656355
www.yourtechsupport.net/components/.a2sfeu.php?receipt=839_98218811
www.yusufandpartners.com/components/.brqtt9.php?receipt=831_765334293
www.zalaquettmexico.com/components/.wozfwk.php?receipt=ss00_323
www.zapolskirudd.com/components/.ddaqfb.php?receipt=838_503657069
www.zalaquettchile.com/components/.qim3ly.php?receipt=840_168958623
www.youroffice-virtually.com/components/.ge2fjw.php?receipt=ss00_323
www.youngsters-experience.com/components/.fcuu68.php?receipt=832_711073089
www.ywfc.org/components/.hg6nnp.php?receipt=ss00_323
www.youngbullseducation.com/components/.iwdqxk.php?receipt=ss00_323
www.zentechgrp.com/components/.huvgam.php?receipt=836_974070861
www.zarmishaministry.org/components/.z2mt4x.php?receipt=ss00_323
www.zaganellibus.com/components/.d2bliz.php?receipt=ss00_323
www.zebraslon.com/components/.rwiosy.php?receipt=ss00_323
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: early 2013 Postal-Receipt.zip malware campaign

Postby trobbins » Mon Mar 04, 2013 5:58 pm

I noticed that many of the .php files start with a period.
This means that if somebody just issues an "ls" will not
see the file. When reporting the links, I would mention
that the .php file is a hidden file and they need to issue
"ls -a" to see the hidden files on a unix OS.
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2558
Joined: Thu Apr 12, 2007 6:55 pm

Re: early 2013 Postal-Receipt.zip malware campaign

Postby Red Dwarf » Mon Mar 04, 2013 8:34 pm

NotBuyingIt wrote:
I'd like to continue following the campaign if I could find a few more free anonymous proxy servers that would still work. Suggestions for some?



Vidalia/Tor package gives you hundreds.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10487
Joined: Tue Jun 27, 2006 2:01 am


Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron