-
Malware Domain Blocklist updated...
FYI...
DNS-BH – Malware Domain Blocklist
- http://www.malwaredomains.com/
- http://www.malwaredomains.com/wordpress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.
This list is also available in AdBlock and ISA Format..."
To install the AdblockPlus extension in Firefox, click here:
- https://addons.mozilla.org/en-US/firefox/addon/1865
- http://www.youtube.com/watch?v=oNvb2SjVjjI
Blocking malicious sites with Adblock Plus
- http://adblockplus.org/blog/blocking...h-adblock-plus
"... another layer of protection..."
Scroll down to: "... click here to subscribe to the list in Adblock Plus..." and click on the link - click OK to the popup for "Add subscription" - done.
:fear:
-
Malware Domain Blocklist updated - 2012.04.15
FYI...
BH-DNS Update: 125 New Domains
- http://www.malwaredomains.com/wordpress/?p=2603
April 15th, 2012 - "Added 125 new domains associated with scams, trojans, mebroot, etc. Sources include exposure.iseclab.org, threatexpert.com, malwareurl.com..."
:fear:
-
Malware Domain Blocklist updated - 2012.04.18
FYI...
hostexploit.com top bad hosts – 2012 Q1
- http://www.malwaredomains.com/wordpress/?p=2612
April 18th, 2012 - "We added our 'friends' nikjju . com and best-antiviruu.de .lv and also listed domains from ISP’s or hosting services listed on hostexploit.com‘s Q1 report on the top bad hosts*. To round things out, we also added domains flagged by sucuri as having malicious javascript or iframes..."
* http://hostexploit.com/
___
Top 3 AS listed at Hostexploit:
Diagnostic page for AS16138 (INTERIA.PL)
- http://google.com/safebrowsing/diagnostic?site=AS:16138
"... 1580 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-19, and the last time suspicious content was found was on 2012-04-19... Over the past 90 days, we found 21 site(s) on this network.. that appeared to function as intermediaries for the infection of 25 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including... that infected 28 other site(s)..."
> http://sitevet.com/db/asn/AS16138
Diagnostic page for AS47583 (HOSTING)
- http://google.com/safebrowsing/diagnostic?site=AS:47583
"... 1303 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-19, and the last time suspicious content was found was on 2012-04-18... Over the past 90 days, we found 110 site(s) on this network... that appeared to function as intermediaries for the infection of 934 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 151 site(s)... that infected 1164 other site(s)..."
> http://sitevet.com/db/asn/AS47583
Diagnostic page for AS33182 (DIMENOC)
- http://google.com/safebrowsing/diagnostic?site=AS:33182
"... 1966 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-19, and the last time suspicious content was found was on 2012-04-19... Over the past 90 days, we found 44 site(s)... that appeared to function as intermediaries for the infection of 65 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 87 site(s)... that infected 160 other site(s)..."
> http://sitevet.com/db/asn/AS33182
:fear::fear:
-
Malware Domain Blocklist updated - 2012.04.21
FYI...
Fake-AV, exploit, malvertising domains
- http://www.malwaredomains.com/wordpress/?p=2616
April 21st, 2012 - "Added 124 domains associated with rogue/fake AV, malvertising, exploits, etc. Sources include hosts-file.net, emergingthreats.net, urlvoid.com..."
:fear:
-
Malware Domain Blocklist updated - 2012.04.27
FYI...
Small Update – 4/27
- http://www.malwaredomains.com/wordpress/?p=2635
April 28th, 2012 - "... Added a couple of dozen malvertising, zeus, palevo and other harmful domains on 4/27..."
:fear:
-
Malware Domain Blocklist updated - 2012.04.29
FYI...
malvertising, malicious js, bugat domains
- http://www.malwaredomains.com/wordpress/?p=2653
April 29th, 2012 - "Added 137 domains associated with google safebrowsing, malvertising, malicious javascript, etc. Sources include exposure.iseclab.org, safebrowsing.clients.google.com, stopmalvertising.com and others..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.05.04
FYI...
bhexploitkit, htaccess, iframes, trojans...
- http://www.malwaredomains.com/wordpress/?p=2660
May 4th, 2012 - "Added 110 domains associated with htaccess redirects, malicious iframes, trojans, etc. sources include malwaredomainlist.com, safebrowsing.clients.google.com, jsunpack.jeek.org..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.05.06
FYI...
Exploit Domains, iframes, malvertising
- http://www.malwaredomains.com/wordpress/?p=2663
May 6th, 2012 - "Added over 140 domains associated with exploits, malvertising, ransom/rogues, and of course zeus, etc. Sources: mwis.ru, vxvault.siri-urz.net, vxvault.siri-urz.ne..."
:fear: :spider:
-
Malware Domain Blocklist updated - 2012.05.13
FYI...
sql injection, htaccess, malicious js domains
- http://www.malwaredomains.com/wordpress/?p=2673
May 13th, 2012 - "Added domains associated with htaccess redirection, sql injection, iframes, etc..."
:fear:
-
Malware Domain Blocklist updated - 2012.05.17
FYI...
BH Exploit Kit, malvertising, cridex domains
- http://www.malwaredomains.com/wordpress/?p=2676
May 17th, 2012 - "Added almost 150 domains associated with Black Hole Exploits, malvertising, cridex, etc. Sources: mwis.ru, zeustracker.abuse.ch, exposure.iseclab.org and several others..."
:fear:
-
Malware Domain Blocklist updated - 2012.05.22
FYI...
htaccess redirects, malicious javascript, trojans
- http://www.malwaredomains.com/wordpress/?p=2684
May 22nd, 2012 - "Added 137 domains associated with htaccess redirects, malvertising, iframes, trojans, etc. Sources: exposure.iseclab.org, threatexpert.com, zeustracker, sucuri.net, and others..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.05.26
FYI...
Java Exploits, malicious advertising, SutraTDS
- http://www.malwaredomains.com/wordpress/?p=2691
May 26th, 2012 - "Added over 100 domains associated with malvertising, java exploits, htaccess redirects. Sources include hosts-file.net, mwis.ru, sucuri.net..."
:fear:
-
Malware Domain Blocklist updated - 2012.06.01 ...
FYI...
Flamer, htaccess, botnet, malspam domains...
- http://www.malwaredomains.com/wordpress/?p=2705
June 1st, 2012 - "Added over 140 malicious domains associated with flamer, htaccess redirects, malspam etc. Sources include spamhaus.org, malwareurl.com, malware-control.com and many others..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.06.04 ...
FYI...
BH Exploit, citadel, malspam, Tinba domains...
- http://www.malwaredomains.com/wordpress/?p=2714
June 4th, 2012 - "Added over 140 domains associated with Tinba, pornmocup, back hold exploits, etc. Sources include exposure.iseclab.org, c-apture.blogspot.com, hosts-file.net, malware-control.com and others..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.06.13 ...
FYI...
malvertising, malicious javascript, trojans...
- http://www.malwaredomains.com/wordpress/?p=2732
June 13th, 2012 - "Added over 140 domains associated with trojans, sql injection, malvertising, etc. Sources include xylibox.com, safebrowsing.clients.google.com, blog.dynamoo.com and others..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.06.17 ...
FYI...
zeroaccess, malspam, blackhole exploit domains
- http://www.malwaredomains.com/wordpress/?p=2735
June 17th, 2012 - "Added domains associated with bh exploits, malicious spam, zeroaccess and other trojans. Sources include labs.sucuri.net, hosts-file.net, blog.dynamoo.com..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.06.25 ...
FYI...
runforestrun, iceix, rogues, malvertising, malspam domains...
- http://www.malwaredomains.com/wordpress/?p=2749
June 25th, 2012 - "Two recent updates, adding over 230 domains associated with “RunForestRun, IceIX, Malicious Spam, Malicious Advertising, etc. Sources include malwaredomainlist.com, isc.sans.org, hosts-file.net and many more..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.06.26 ...
FYI...
Runforestrun update
- http://www.malwaredomains.com/wordpress/?p=2758
June 26th, 2012 - "Old versions of Plesk store passwords in clear text
-> http://blog.unmaskparasites.com/2012...n-plesk-panel/
There is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.
-> http://kb.parallels.com/en/113321
Combine these two together and what do you get, malware of course.
Plesk Vulnerability Leading to Malware
>> http://blog.sucuri.net/2012/06/plesk...o-malware.html
Runforestrun and Pseudo Random Domains
- http://blog.unmaskparasites.com/2012...andom-domains/
Run, Forest! (Update) – block 95.211.27.206
- https://isc.sans.edu/diary/Run+Forest+Update+/13561
We’ve added a bunch of these domains but you should check the resources above, as well as new IP addresses to block."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.06.28 ...
FYI...
BH Exploit Kit, Run Forest Run, fariet domains
- http://www.malwaredomains.com/wordpress/?p=2760
June 28th, 2012 - "A small but important update with some fariet, run forest run, bh exploit kit domains. Sources include blog.eset.com, microsoft.com, blog.urlvoid.com and others..."
:fear:
-
Malware Domain Blocklist updated - 2012.07.04 ...
FYI...
iframes, Pontoeb, scam domains
- http://www.malwaredomains.com/wordpress/?p=2771
July 4th, 2012 - "Added over 100 domains associated with Pontoeb, scams, malicious iframes, etc. Sources: spamhaus.org, vxvault.siri-urz.net, sucuri.net and others..."
:fear:
-
Malware Domain Blocklist updated - 2012.07.10 ...
FYI...
246 malicious domains added...
- http://www.malwaredomains.com/wordpress/?p=2783
July 10th, 2012 - "A very large update consisting of 246 domains associated with malvertising, iframes, black hole exploits, etc. Sources include malwaredomainlist.com, sucuri.net, dynamoo.com..."
:fear::fear::spider:
-
Malware Domain Blocklist updated - 2012.07.12 ...
FYI...
RunForestRun, malspam, malvertising Domains
- http://www.malwaredomains.com/wordpress/?p=2788
July 12th, 2012 - "Added 150 domains (runforestrun, malspam, malvertising)."
:fear:
-
Malware Domain Blocklist updated - 2012.07.16 ...
FYI...
Relisted Domains ...
- http://www.malwaredomains.com/wordpress/?p=2791
July 16th, 2012 - "Just went through a bunch of older domains and relisted almost 50 of them. Or do the bad guys wait and “lay low” with their domain until “the coast is clear” and once google safebrowsing delists them, they once again use the domain to serve up malware (Whack-a-Mole)? Do they have google APIs and check daily to see if their domain is delisted?... It’s like fast-flux except the time frame is months instead of minutes.:
:fear: :sad:
-
Malware Domain Blocklist updates ...
FYI...
DNS-BH Updates: 7.19 and 7.21
- http://www.malwaredomains.com/wordpress/?p=2794
July 22nd, 2012 - "Been remiss about mentioning updates on 7.19 and 7.21. Please update your blocklists/sinkhole..."
:fear::fear:
-
IntelliDownload malvertising...
FYI...
IntelliDownload (stopmalvertising.com)
- http://www.malwaredomains.com/wordpress/?p=2797
July 23rd, 2012 - "... article about IntelliDownload*...
* http://stopmalvertising.com/malware-...-browsing.html
Jul 20, 2012 - "... it doesn’t disclose that it will hijack advertisements on several major websites and replace them with ads from oadsrv .com, scrape your Facebook data, spy on your browser session and report every move you make on the web back to chango .com ..."
Please study the domains listed in the article and take appropriate action (the domains have -not- yet been added to this blocklist)."
:fear: :mad:
-
Malware Domain Blocklist updated - 2012.07.25 ...
FYI...
Java Exploit domains, trojans, rogues
- http://www.malwaredomains.com/wordpress/?p=2800
July 25th, 2012 - "A small but important update containing domains associated with Java exploits, rogue antivirus, trojans, and other malicious domains you don’t want visiting your computer or network. Sources include mwis.ru, malwaredomainlist.com, and urlquery.net..."
___
- https://blogs.technet.com/b/mmpc/arc...edirected=true
25 Jul 2012 - "The last few months we have seen a drastic increase in Java-based malware abusing the CVE-2012-0507* AtomicReferenceArray type-confusion vulnerability. In addition to that, a few weeks ago, a new Java vulnerability was found (CVE-2012-1723)**; it is also a type-confusion vulnerability. The attack abusing this new vulnerability is also very active... The most effective measure against these vulnerabilities is -updating- your Java installation. To check the version of JRE your browser is running, visit following link:
http://www.java.com/en/download/installed.jsp ..."
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-0507 - 10.0 (HIGH)
** http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-1723 - 10.0 (HIGH)
:fear:
-
Domain Blocklist update...
FYI...
RunForestRun DGA Update (update your Domain Blocklist) ...
- http://www.malwaredomains.com/wordpress/?p=2805
July 26th, 2012 in 0day, New Domains
> http://blog.unmaskparasites.com/2012...mate-js-files/
26 Jul 12 - "... a quick recap of the RunForestRun attack: It began in mid-June and infected many servers with Plesk Panel since then. Hackers used Plesk’s File Manager to inject malicious code (mainly) at the bottom of .js files..."
"RunForestRun has changed the domain generating algorithm (DGA), and now uses waw.pl subdomains (instead of .ru) in malicious URLs."
:sad: :mad: :fear:
-
Malware Domain Blocklist updated - 2012.07.28 ...
FYI...
RunForestRun DGA Domains
- http://www.malwaredomains.com/wordpress/?p=2811
July 28th, 2012 - "Added over 200 RunForestRun Domains listed at blog.unmaskparasites.com."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.08.03 ...
FYI...
DNS-BH Aug3 Update – relisted domains
- http://www.malwaredomains.com/wordpress/?p=2813
August 3rd, 2012 - "Added 203 domains – domains were at one time delisted but are once again associated with malware..."
:fear::fear:
-
Domain blocks/IPs to Block ASAP...
FYI...
Domains and IPs to Block ASAP
- http://www.malwaredomains.com/wordpress/?p=2825
August 9th, 2012 in 0day, sql injection - "Two posts from the Internet Storm Center:
> https://isc.sans.edu/diary.html?storyid=13864
SQL Injection Lilupophilupop style – Lists about a dozen domains you should immediately add to your blocklists plus more in Dynamoos blog*.
> https://isc.sans.edu/diary.html?storyid=13861
Zeus/Citadel variant causing issues in the Netherlands – Follow the links and block those IP addresses ..."
* http://blog.dynamoo.com/2012/08/more...-block-on.html
:fear: :mad::mad:
-
More sites to block...
FYI...
More sites to block...
- http://blog.dynamoo.com/2012/08/even...-block-on.html
13 August 2012 - "More evil sites to block on 194.28.115.150 (Specialist ISP*) following on from these:
idi42nga .rr.nu, kprud89entia .rr.nu, hin66gof .rr.nu, iste03dengi .rr.nu, hing30emplo .rr.nu,
ize84dso .rr.nu, ind42icat .rr.nu, lack33andw .rr.nu"
* http://blog.dynamoo.com/2012/08/yet-...-block-on.html
10 August 2012 - "... blocking access to 91.211.200.0/22 and 194.28.112.0/22 (Specialist ISP) plus -all- .rr.nu domains would be even better."
> http://blog.dynamoo.com/2012/08/scan...-pro-spam.html
13 August 2012 - "..."46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem..."
Something evil on 178.63.195.128/26
- http://blog.dynamoo.com/2012/08/some...319512826.html
13 August 2012 - "The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170. A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here*). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice... quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 178.63.195.128 - 178.63.195.191
address: RUSSIAN FEDERATION
178.63.195.163...
178.63.195.167...
178.63.195.168...
178.63.195.170...
178.63.195.171..."
* https://krebsonsecurity.com/2012/07/...r-black-deeds/
:mad::mad::mad:
-
IPs to block - 2012.08.14 ...
FYI...
"Federal Tax" spam...
- http://blog.dynamoo.com/2012/08/fede...egleeinfo.html
14 August 2012 - "... tax-themed spam leads to malware...
Date: Tue, 14 Aug 2012 15:21:33 +0200
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Rejected Federal Tax transfer
Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transaction
Tax Transaction ID: 38969777924999
Return Reason See details in the report below
Tax Transaction Report tax_report_38969777924999.doc (Microsoft Word Document) ...
... malicious payload... hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can."
___
"We can not charge your credit card" spam...
- http://blog.dynamoo.com/2012/08/we-c...card-spam.html
14 August 2012 - "... spam pretends to be from Amazon. Or UPS. Or perhaps both. Anyway, it leads to malware...
Date: Tue, 14 Aug 2012 05:26:05 +0200
From: "ups" [mail@ups.com]
Subject: We can not charge your credit card
Attachments: Amazon_Invoice.htm
Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible...
The attachment Amazon_Invoice.htm is malicious and it attempts to download a malicious script... hosted on the following IPs (which have all been used for malware distribution several times):
190.120.228.92
199.71.212.78
203.80.16.81 ..."
:mad::mad:
-
Malware Domain Blocklist updated - 2012.08.23 ...
FYI...
Outgoing network traffic & Malicious Activity
- http://www.malwaredomains.com/wordpress/?p=2831
August 23rd, 2012 - "SANs* has a nice write-up about analyzing outgoing network traffic to identify malicious activity. They list a bunch of ip blocklists and IP reputation sources.
(We’ve also had two updates since the last post**, busy at $Jobs...)"
* https://isc.sans.edu/diary.html?storyid=13963#comment
** http://www.malwaredomains.com/wordpress/?p=2829
August 14th, 2012
Also see: http://www.malwaredomainlist.com/mdl.php
Latest update: August 23, 2012 2:50 AM
- http://mirror2.malwaredomains.com/files/
:fear::fear:
-
Malware Domain Blocklist updated - 2012.08.27 ...
FYI...
DNS-BH Update – 104 new domains
- http://www.malwaredomains.com/wordpress/?p=2833
August 27th, 2012 - "Added 104 new domains from hosts-file.net, safebrowsing.clients.google.com, avgthreatlabs.com and others..."
:fear:
-
Malware Domain Blocklist updated - 2012.08.28 ...
FYI...
Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains
- http://www.malwaredomains.com/wordpress/?p=2837
August 28th, 2012 - "Added domains associated with the Java 0-day, Blackhole Exploit Kit, and other badness. Sources include labs.sucuri.net, blog.fireeye.com, spamhaus.org..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.09.03 ...
FYI...
Java 0-day, Black Hole Exploits, and other malicious domains...
- http://www.malwaredomains.com/wordpress/?p=2843
September 3rd, 2012 - "... Updates on August 29th and Sept 1st contained domains associated with the Java 0-day, Black Hole Exploits, and other malicious domains (another today @ 1:12 PM*)... Sources include safebrowsing.clients.google.com, scumware.org, blog.dynamoo.com and others..."
* http://mirror2.malwaredomains.com/files/
:fear:
-
Malware Domain Blocklist updated - 2012.09.08 ...
FYI...
java exploit domains, rouge antivirus, malspam domains...
- http://www.malwaredomains.com/wordpress/?p=2852
September 8th, 2012 - "Added 101 new domains associated with Java exploits, malicious spam, sutratds, fake antivirus, etc. Sources include emergingthreats.net, google.com/safebrowsing, blog.dynamoo.com..."
:fear::fear:
-
Malware Domain Blocklist updated - 2012.09.16 ..
FYI...
Several Sept Updates
- http://www.malwaredomains.com/wordpress/?p=2862
September 16th, 2012 - "... Recent updates added domains associated with the Java 0day, Black Hole Exploits, etc. All sources are listed in our domain.txt file*..."
* http://dns-bh.sagadc.org/domains.txt
:fear::fear:
-
Malware Domain Blocklist updated - 2012.09.23 ...
FYI...
Nitro, malspam, risky domains ...
- http://www.malwaredomains.com/wordpress/?p=2866
September 23rd, 2012 - "Added domains associated with Nitro, malspam, etc. Sources include safebrowsing.google.com, symantec.com, zeustracker.abuse.ch, blog.dynamoo.com, zataz.com, hosts-file.net..."
:fear::fear:
-
Blocklist delistings - correction 2012.09.25 ...
FYI...
Site delistings - Blocklist correction ...
- http://www.malwaredomains.com/wordpress/?p=2871
September 25th, 2012 - "artconcoction.com has been delisted and will be removed on the next update. There is also a (big) mistake in the zone file, don’t wait for an update on our end; please -remove- safebrowsing.clients.google.com* from your zone files ASAP."
* NOTE to AdBlock Plus users: Un-check it in the AdBlock Plus Filter Preference listing.
:fear::fear: