Two Quick Updates

We blogged last week about the Fake Microsoft Update which was actually an attempt to infect visitors with ZBot in order to steal their banking passwords.

We continue to see more of this spam, but now there is also a "drive-by infection" component to the spam. That means that just visiting the website may be enough to infect you. The preferred driveby method is an IFRAME injection which tries to open your Adobe Reader to use an infected PDF to infect you in a background window. To be successfully exploited via the drive-by, an older version of Adobe Reader would need to be present on the visitor's computer.

Fake Microsoft updates were seen today on these domain names:

update.microsoft.com.1ffli.com.mx
update.microsoft.com.h1hihk.com
update.microsoft.com.h1hiik.com
update.microsoft.com.h1hiik.net
update.microsoft.com.h1hikk.net
update.microsoft.com.h1hil1.com
update.microsoft.com.h1hil1.net
update.microsoft.com.h1hilh.com
update.microsoft.com.h1hilh.net
update.microsoft.com.h1hili.com
update.microsoft.com.h1hili.net
update.microsoft.com.h1hilk.com
update.microsoft.com.h1hilk.net
update.microsoft.com.h1hill.com
update.microsoft.com.h1hill.net
update.microsoft.com.hhili.com.mx
update.microsoft.com.hijjl1.com
update.microsoft.com.hijjlf.com
update.microsoft.com.hijjlh.com
update.microsoft.com.hijjll.com
update.microsoft.com.hilli.com.mx
update.microsoft.com.ij1ilik.com
update.microsoft.com.ijfilik.com
update.microsoft.com.ijhilik.com
update.microsoft.com.ijjilik.com
update.microsoft.com.ijjilik.net
update.microsoft.com.ijlilik.com
update.microsoft.com.ikihil1.com
update.microsoft.com.ikihil1.net
update.microsoft.com.ikihilf.com
update.microsoft.com.ikihilf.net
update.microsoft.com.ikihilh.com
update.microsoft.com.ikihilh.net
update.microsoft.com.ikihilk.com
update.microsoft.com.ikihill.com
update.microsoft.com.ikihill.net
update.microsoft.com.ikkilf1.com
update.microsoft.com.ikkilif.com
update.microsoft.com.ikkilih.com
update.microsoft.com.ikkilii.com
update.microsoft.com.ikkilij.com
update.microsoft.com.ikkilik.com
update.microsoft.com.ikkilil.com
update.microsoft.com.ilifi.com.mx
update.microsoft.com.iljihli.com.mx
update.microsoft.com.kiffil.com.mx
update.microsoft.com.kijj1k.com
update.microsoft.com.kijji1.com
update.microsoft.com.kijji1.net
update.microsoft.com.kijjif.com
update.microsoft.com.kijjif.net
update.microsoft.com.kijjih.com
update.microsoft.com.kijjih.net
update.microsoft.com.kijjil.com
update.microsoft.com.kijjil.net


Second Update - we mentioned the Spam Crisis in China also last week, and would like to continue to encourage Chinese officials to encourage an appropriate response - especially for networks hosting many spam domains, and for Registrars who are registering many spam domains.

The top registrar for Chinese spam domains is currently "Ename.cn" which uses the Chinese name: 易名中国

In our spam for June 28th, we saw 195 unique domain names advertised in spam which were registered at eName.cn /

axuqiues.cn
bbegqewok.cn
bcicgaxan.cn
bdamnicok.cn
bewgohef.cn
bhapcajon.cn
biplovoq.cn
bkejezer.cn
bladferud.cn
bpittasiw.cn
bqilzoyus.cn
btaxfoqof.cn
bxiyzexiw.cn
byelufap.cn
bzemkonet.cn
cfirgofin.cn
ckosyedaw.cn
cloculez.cn
cpuvyomok.cn
cqutfesok.cn
cruznivif.cn
ctismumib.cn
cvapsohib.cn
cwehtiboh.cn
cwirbamus.cn
cwobueuj.cn
deoooren.cn
dfuknajec.cn
dkohhusur.cn
dlizafoy.cn
drucximuv.cn
drugsitechord.com.cn
drugsonlinefront.com.cn
dsunmulut.cn
dzonqovug.cn
dzoslakiy.cn
eqejucus.cn
fcoyekii.cn
fhoaabah.cn
fkuvtalow.cn
fubgogil.cn
fwakwedoc.cn
fwuzjixag.cn
fyoyifuh.cn
garfeduf.cn
gmuchidec.cn
goynoyod.cn
gresodag.cn
gtiqaxoh.cn
gtuhfugid.cn
guihiruj.cn
gyojviwus.cn
gzazduxux.cn
hbedvigog.cn
hdezqojok.cn
hhuxdutoh.cn
hsupohed.cn
htihnefug.cn
hwalvunol.cn
hxilxebim.cn
hxozripop.cn
hxuyakuh.cn
ihuyoruv.cn
jbalcefel.cn
jbiwzijef.cn
jjohojoq.cn
jluzyelig.cn
joivosah.cn
jrejsecut.cn
jtenruman.cn
jxulqaqam.cn
jyasvixih.cn
jyeffohec.cn
kjakbomih.cn
kkedfesaq.cn
kkicakoo.cn
klattiyoj.cn
kqimfebif.cn
kratvunaj.cn
lanqagep.cn
ljeydekat.cn
lpeskaduj.cn
lyubolud.cn
medicaldirectpearl.com.cn
medsbeststreet.com.cn
mfuddonib.cn
mhawuhuy.cn
mmulceyip.cn
mmuqdumay.cn
mnurwuyiw.cn
moahoyev.cn
mpasgukux.cn
mrazkebet.cn
mtoldiyel.cn
mvalpotor.cn
mzaxyitul.cn
newpharmthe.com.cn
newrxflair.com.cn
nqaqbuqih.cn
onlinepillsflat.com.cn
pdaspikot.cn
phacurus.cn
pharmssitefarm.com.cn
pilldirectage.com.cn
pillsgreatup.com.cn
ppibgoken.cn
pqobviqut.cn
psocnujiq.cn
pvefzoder.cn
qcimgoroq.cn
qdasgemuk.cn
qkivvisor.cn
qriwxemez.cn
qubribox.cn
qwibfojuy.cn
rciqdoniz.cn
rfadukoe.cn
rgafwadif.cn
rgiyiuoz.cn
rgugzobaf.cn
rjokpayij.cn
rjulcuzex.cn
rkijnefid.cn
rnueulah.cn
rtuymerol.cn
rwalzufuh.cn
ryakiruv.cn
rzijheduf.cn
shacoqiw.cn
sizlehag.cn
sjizsumut.cn
smartdrugtell.com.cn
sqihemas.cn
stezcimip.cn
storemedburn.com.cn
superpharmacymelody.com.cn
sxaviyod.cn
syuczuwex.cn
tcewqucox.cn
tgamauik.cn
thewkujiv.cn
thilmogap.cn
tjaxpetoy.cn
tluksumov.cn
tnatxusof.cn
tnokpaduk.cn
toppilldrink.com.cn
tpoxrugur.cn
troknizec.cn
tuwxabup.cn
tvaiigiz.cn
tzoxboyuk.cn
vhesfanex.cn
vkimgimaw.cn
vnangihar.cn
vnuzijav.cn
vqetokuj.cn
vqukhacun.cn
vrebewez.cn
vtubnenom.cn
vwahmazav.cn
vxilretop.cn
vyiycunud.cn
wcerdolis.cn
wrivhetes.cn
wtasjediv.cn
wwepkuroz.cn
wwetsozoy.cn
wxaqbaqet.cn
wxutnavih.cn
wyoydolod.cn
xcohwibac.cn
xfivdosih.cn
xfopbetid.cn
xhosiniq.cn
xuipaiaq.cn
xvoqfuwog.cn
xvuwbudok.cn
xyipmakif.cn
ybozliqay.cn
yfetwonoc.cn
yjubcejaj.cn
ylopqufoq.cn
ynabaqio.cn
yqafvunib.cn
yruvjinil.cn
zbofyazal.cn
zcugfaniq.cn
zmuyjefil.cn
znoyrulef.cn
zpoywanup.cn
zrapzotar.cn
zriwsumoc.cn
zsalwosad.cn
zzilmasiy.cn