Silent noise - about spam, trojans and other nasty stuff

One example from fresh spam.

Spam coming in via 92.126.72.138, krasnet.ru.
Spamvertised domain is atlanticbody.com.
Which is hosted on a botnet.

atlanticbody.com's main content is a frame pulled from:
h||p://www.fjfnfnfnaaswwospotyacai.com/?a_aid=met2 (don't try to pronounce that!)
Hosted at 66.90.104.168, fdcservers.net.

Links found on the unpronouncable domain:
https://www.myherbalcheckout.com/mypureacai/checkout.php
Hosted at 66.90.74.18, again fdcservers.net.

A javascript:
h||p://www.acaiberrycheckout.com/vsa/callagent.php?cid=2

A posting with no present useful information.
But in case it will come in handy for somebody, someday, here it is.

Sometimes "strangers" show up on various botnets, kind of breaks the pattern.
Like "waledac" domains first showed up on the Asprox botnet around christmas.

I am steadily getting between 5 and 10 Acai berry spams daily to one of my mailboxes.
More sporadically to others.

One of the key factors in this setup is the use of a botnet.
The fastflux tracker on abuse.ch is calling this an unknown botnet, so far.

Trend Micro mentioning a possible connection between Conficker and Waledac:

DOWNAD/Conficker Watch: New Variant in The Mix?

Quote:

Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file.

Another one from the same article:

This one goes without any lengthy comment:

But you could try a search for www.abcxstats on this site.
Just to see what "The finest and most advanced internet marketers on the planet" are up to.

I could use some income as an affiliate, but I stink at selling stuff.

Again I am starting out slowly with notes mostly to myself.
I have been staring at this one for some days now.
Time to get something written.

Notes, from spam I have received:
Spam pointing to various subdomains of what I suppose is a free hosting provider, interia.pl. For example: noioddoy.eu.interia. pl.
Which redirects to actweight. com. This is the botnet hosted domain.
This again redirects to acaiberryprotoday.com/?a_aid=[varies].
Hosted at 123.108.108.189, something called PANGNET / Pang International Limited in HongKong.

This is connected to the recent rash of classmates spam and corresponding domains hosted on a botnet.

Most of the "classmates" domains seem to be mentioned around, slowly:
beginupdate.com, complayer11.com, downoalsdcenter.com, servletsoftplayer.com, streetplayerc.com, streetsciences.com (nameservers).

Detection of the malware seems to be catching up nicely too.
A result of 30/39 (76.93%) at virustotal for a file named Adobe_Player10.exe.
http://www.virustotal.com/analisis/01121b2cd6a30b6c3988597dfb867d35