Skip to content

Did you know, fake microsoft updates might be on your computer?

1-7-2009

Monday, June 29, 2009
Two Quick Updates

We blogged last week about the Fake Microsoft Update which was actually an attempt to infect visitors with ZBot in order to steal their banking passwords.

We continue to see more of this spam, but now there is also a “drive-by infection” component to the spam. That means that just visiting the website may be enough to infect you. The preferred driveby method is an IFRAME injection which tries to open your Adobe Reader to use an infected PDF to infect you in a background window. To be successfully exploited via the drive-by, an older version of Adobe Reader would need to be present on the visitor’s computer.

Fake Microsoft updates were seen today on these domain names:

update.microsoft.com.1ffli.com.mx
update.microsoft.com.h1hihk.com
update.microsoft.com.h1hiik.com
update.microsoft.com.h1hiik.net
update.microsoft.com.h1hikk.net
update.microsoft.com.h1hil1.com
update.microsoft.com.h1hil1.net
update.microsoft.com.h1hilh.com
update.microsoft.com.h1hilh.net
update.microsoft.com.h1hili.com
update.microsoft.com.h1hili.net
update.microsoft.com.h1hilk.com
update.microsoft.com.h1hilk.net
update.microsoft.com.h1hill.com
update.microsoft.com.h1hill.net
update.microsoft.com.hhili.com.mx
update.microsoft.com.hijjl1.com
update.microsoft.com.hijjlf.com
update.microsoft.com.hijjlh.com
update.microsoft.com.hijjll.com
update.microsoft.com.hilli.com.mx
update.microsoft.com.ij1ilik.com
update.microsoft.com.ijfilik.com
update.microsoft.com.ijhilik.com
update.microsoft.com.ijjilik.com
update.microsoft.com.ijjilik.net
update.microsoft.com.ijlilik.com
update.microsoft.com.ikihil1.com
update.microsoft.com.ikihil1.net
update.microsoft.com.ikihilf.com
update.microsoft.com.ikihilf.net
update.microsoft.com.ikihilh.com
update.microsoft.com.ikihilh.net
update.microsoft.com.ikihilk.com
update.microsoft.com.ikihill.com
update.microsoft.com.ikihill.net
update.microsoft.com.ikkilf1.com
update.microsoft.com.ikkilif.com
update.microsoft.com.ikkilih.com
update.microsoft.com.ikkilii.com
update.microsoft.com.ikkilij.com
update.microsoft.com.ikkilik.com
update.microsoft.com.ikkilil.com
update.microsoft.com.ilifi.com.mx
update.microsoft.com.iljihli.com.mx
update.microsoft.com.kiffil.com.mx
update.microsoft.com.kijj1k.com
update.microsoft.com.kijji1.com
update.microsoft.com.kijji1.net
update.microsoft.com.kijjif.com
update.microsoft.com.kijjif.net
update.microsoft.com.kijjih.com
update.microsoft.com.kijjih.net
update.microsoft.com.kijjil.com
update.microsoft.com.kijjil.net

Second Update – we mentioned the Spam Crisis in China also last week, and would like to continue to encourage Chinese officials to encourage an appropriate response – especially for networks hosting many spam domains, and for Registrars who are registering many spam domains.

The top registrar for Chinese spam domains is currently “Ename.cn” which uses the Chinese name: 易名中国

In our spam for June 28th, we saw 195 unique domain names advertised in spam which were registered at eName.cn /

axuqiues.cn
bbegqewok.cn
bcicgaxan.cn
bdamnicok.cn
bewgohef.cn
bhapcajon.cn
biplovoq.cn
bkejezer.cn
bladferud.cn
bpittasiw.cn
bqilzoyus.cn
btaxfoqof.cn
bxiyzexiw.cn
byelufap.cn
bzemkonet.cn
cfirgofin.cn
ckosyedaw.cn
cloculez.cn
cpuvyomok.cn
cqutfesok.cn
cruznivif.cn
ctismumib.cn
cvapsohib.cn
cwehtiboh.cn
cwirbamus.cn
cwobueuj.cn
deoooren.cn
dfuknajec.cn
dkohhusur.cn
dlizafoy.cn
drucximuv.cn
drugsitechord.com.cn
drugsonlinefront.com.cn
dsunmulut.cn
dzonqovug.cn
dzoslakiy.cn
eqejucus.cn
fcoyekii.cn
fhoaabah.cn
fkuvtalow.cn
fubgogil.cn
fwakwedoc.cn
fwuzjixag.cn
fyoyifuh.cn
garfeduf.cn
gmuchidec.cn
goynoyod.cn
gresodag.cn
gtiqaxoh.cn
gtuhfugid.cn
guihiruj.cn
gyojviwus.cn
gzazduxux.cn
hbedvigog.cn
hdezqojok.cn
hhuxdutoh.cn
hsupohed.cn
htihnefug.cn
hwalvunol.cn
hxilxebim.cn
hxozripop.cn
hxuyakuh.cn
ihuyoruv.cn
jbalcefel.cn
jbiwzijef.cn
jjohojoq.cn
jluzyelig.cn
joivosah.cn
jrejsecut.cn
jtenruman.cn
jxulqaqam.cn
jyasvixih.cn
jyeffohec.cn
kjakbomih.cn
kkedfesaq.cn
kkicakoo.cn
klattiyoj.cn
kqimfebif.cn
kratvunaj.cn
lanqagep.cn
ljeydekat.cn
lpeskaduj.cn
lyubolud.cn
medicaldirectpearl.com.cn
medsbeststreet.com.cn
mfuddonib.cn
mhawuhuy.cn
mmulceyip.cn
mmuqdumay.cn
mnurwuyiw.cn
moahoyev.cn
mpasgukux.cn
mrazkebet.cn
mtoldiyel.cn
mvalpotor.cn
mzaxyitul.cn
newpharmthe.com.cn
newrxflair.com.cn
nqaqbuqih.cn
onlinepillsflat.com.cn
pdaspikot.cn
phacurus.cn
pharmssitefarm.com.cn
pilldirectage.com.cn
pillsgreatup.com.cn
ppibgoken.cn
pqobviqut.cn
psocnujiq.cn
pvefzoder.cn
qcimgoroq.cn
qdasgemuk.cn
qkivvisor.cn
qriwxemez.cn
qubribox.cn
qwibfojuy.cn
rciqdoniz.cn
rfadukoe.cn
rgafwadif.cn
rgiyiuoz.cn
rgugzobaf.cn
rjokpayij.cn
rjulcuzex.cn
rkijnefid.cn
rnueulah.cn
rtuymerol.cn
rwalzufuh.cn
ryakiruv.cn
rzijheduf.cn
shacoqiw.cn
sizlehag.cn
sjizsumut.cn
smartdrugtell.com.cn
sqihemas.cn
stezcimip.cn
storemedburn.com.cn
superpharmacymelody.com.cn
sxaviyod.cn
syuczuwex.cn
tcewqucox.cn
tgamauik.cn
thewkujiv.cn
thilmogap.cn
tjaxpetoy.cn
tluksumov.cn
tnatxusof.cn
tnokpaduk.cn
toppilldrink.com.cn
tpoxrugur.cn
troknizec.cn
tuwxabup.cn
tvaiigiz.cn
tzoxboyuk.cn
vhesfanex.cn
vkimgimaw.cn
vnangihar.cn
vnuzijav.cn
vqetokuj.cn
vqukhacun.cn
vrebewez.cn
vtubnenom.cn
vwahmazav.cn
vxilretop.cn
vyiycunud.cn
wcerdolis.cn
wrivhetes.cn
wtasjediv.cn
wwepkuroz.cn
wwetsozoy.cn
wxaqbaqet.cn
wxutnavih.cn
wyoydolod.cn
xcohwibac.cn
xfivdosih.cn
xfopbetid.cn
xhosiniq.cn
xuipaiaq.cn
xvoqfuwog.cn
xvuwbudok.cn
xyipmakif.cn
ybozliqay.cn
yfetwonoc.cn
yjubcejaj.cn
ylopqufoq.cn
ynabaqio.cn
yqafvunib.cn
yruvjinil.cn
zbofyazal.cn
zcugfaniq.cn
zmuyjefil.cn
znoyrulef.cn
zpoywanup.cn
zrapzotar.cn
zriwsumoc.cn
zsalwosad.cn
zzilmasiy.cn

Posted by UAB’s Director of Research in Computer Forensics
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: