FYI...

Fake Fedex email invoice lead to BlackHole Exploit kit
- http://blog.webroot.com/2012/09/14/s...e-exploit-kit/
Sep 14, 2012 - "... cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample client-side exploits serving URLs: hxxp ://studiomonahan .net/main.php?page=2bfd5695763b6536 (200.42.159.6, AS10481; 206.253.164.43, AS6921); hxxp ://gsigallery .net/main.php?page=2bfd5695763b6536 (208.91.197.54, AS40034)
Sample client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15* ...
JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd
Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7** ... Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E
... and MD5: 0e2c968865d34c8570bb69aa6156b915*** Worm.Win32.Cridex.jb
The first sample phones back to 195.111.72.46 :8080/mx/5/B/in/ (AS1955) and to 87.120.41.155 :8080/mx/5/B/in (AS13147), and the second sample initiates DNS queries to droppinlever .pro; lambolp700tuning .ru and it also produces TCP traffic to 146.185.220.32 on port 443, as well as to 192.5.5.241 again on port 443.
... We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, 87.120.41.155 :8080/mx/5/B/in in particular..."
* https://www.virustotal.com/file/ae6b...is/1347545788/
File name: Fedex.html
Detection ratio: 8/41
Analysis date: 2012-09-13
** https://www.virustotal.com/file/b417...9ba0/analysis/
File name: f9904f305de002ad5c0ad4b4648d0ca7.malware
Detection ratio: 30/42
Analysis date: 2012-09-13
*** https://www.virustotal.com/file/cb66...4a47/analysis/
File name: a36fc381c480e4e7ee09c89d950195c2
Detection ratio: 24/42
Analysis date: 2012-09-11