Well this is not the first one, but at least I find it relevant since it is not being detected by (almost) any AV engines - I mean command line versions on VirusTotal.
Here is what the MSN message looks like:
I clicked on the link aztec-casino.uk... the browser popped up and offered me to download a file named installcasino.exe.
Unfortunately for the bad guys, a BSD derivative kernel is kindda immune to Win 32 PE files... :)
According to VirusTotal, only 1 engine out of 41 detects the sample:
The only detection is an heuristic one. Please keep in mind that VirusTotal uses command line versions of AV engines, and this may reduce heuristic features or particular content dynamic analysis.
I'm waiting for an online sandbox analysis results.
What about URL filtering? not better either:
- nothing for McAfee TrustedSource:
- nothing for IronPort / SurfControl:
http://mtas.surfcontrol.com/MTASResults.asp (says 'not in our list' at the time of writting).
What about domain informations?
- a bit weird according to Netcraft: UK or De?
- brazilian IP address according to DomainCrawler? no WhoIs information...
What about DNS?
> server 18.104.22.168
Default server: 22.214.171.124
OpenDNS and my ISP do agree about the IP resolution, therefore that should be correct.
Then I guess RIPE will be a pretty reliable about geo-localization:
and (this winner is): Germany.