Thursday, August 15, 2013

Spamvertised 'Confirmed Facebook Friend Request' Themed Emails Serve Client-Side Exploits

A currently circulating malicious spam campaign, entices users into thinking that they've received a legitimate 'Friend Confirmation Request' on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular.

Client-side exploits serving URL:

Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab - detected by 3 out of 45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj

Domain name reconnaissance: -;; - Email:

Responding to the same IPs (;; are also the followig malicious domains: - Email: - Emai: - Email: - Email: - Email: - Email: - Email: - Email: Email: - Email: - Email: - Email: - Email:

Name servers used in these campaigns:
Name Server: NS1.TEMPLATESWELL.NET - - Email:
Name Server: NS1.THEGALAXYATWORK.COM - - Email:
Name Server: NS1.MOBILE-UNLOCKED.NET - - Email:
Name Server: NS1.MEDUSASCREAM.NET - - Email:
Name Server: NS1.CREDIT-FIND.NET - - Email:
Name Server: NS1.GONULPALACE.NET - - Email:
Name Server: NS1.NAMASTELEARNING.NET - - Email:

The following malicious MD5s are also known to have phoned back to the same IPs/were downloaded from the same IPs in the past:
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f507b822651d2fbc82a98e4cc7f735a2
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f88d6a7381c0bbac1b1558533cfdfd62
MD5: 11be39e64c9926ea39e6b2650624dab4
MD5: ea893fb04cc536ff692cc3177db7e66f
MD5: c8f8b4c0fced61f8a4d3b2854279b4ef
MD5: 93bae01631d10530a7bac7367458abea
MD5: 199b8cf0ffd607787907b68c9ebecc8b
MD5: 6b1bef6fb45f5c2d8b46a6eb6a2d5834
MD5: 9eb6ed284284452f7a1e4e3877dded2d
MD5: efacf1c2c6b33f658c3df6a3ed170e2d
MD5: 7c70d5051826c9c93270b8c7fc9d276f
MD5: dcb378d6033eed2e01ff9ab8936050a0
MD5: 8556f98907fd74be9a9c1b3bf602f869

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.