Nuclear EK, Domain SCAMs
FYI...
Nuclear EK active on 178.79.182.106
- http://blog.dynamoo.com/2014/10/nucl...879182106.html
9 Oct 2014 - "It looks like the Nuclear exploit kit is active on 178.79.182.106 (Linode, UK), using hijacked subdomains of legitimate domains using AFRAID.ORG nameservers. I can see the following sites active on that IP:
fuhloizle .tryzub-it .co.uk
fuhloizle .pgaof39 .com
fuhloizle .cusssa .org
"fuhloizle" is a pretty distinctive search string to look for in your logs. It looks like the bad sites might be down at the moment (or the kit is hardened against analysis), but blocking this IP address as a precaution might be a good idea."
178.79.182.106: https://www.virustotal.com/en/ip-add...6/information/
___
chinaregistry .org.cn domain SCAM
- http://blog.dynamoo.com/2014/10/chin...main-scam.html
9 Oct 2014 - "This is an old scam that can safely be ignored.
From: Henry Liu [henry.liu@ chinaregistry .org.cn]
Date: 9 October 2014 07:53
Subject: [redacted] domain and keyword in CN
(Please forward this to your CEO, because this is urgent. Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards
Henry Liu
General Manager
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China ...
Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either..."
(Short video at the dynamoo URL above.)
___
Bash Bug saga continues: Shellshock Exploit via DHCP
- http://blog.trendmicro.com/trendlabs...loit-via-dhcp/
Oct 8, 2014 - "The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including -Metasploit- code) available in the public domain, this vulnerability is being heavily exploited. Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS... techniques could be used by an attacker to compromise more machines within the network. Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses. An attacker can configure a compromised DHCP server or create a rogue DHCP server to send -malicious- information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors... Various techniques can be used to to exploit Shellshock over DHCP..."
(More detail at the trendmicro URL above.)
