Malware Domain Blocklist updated...

Malware Domain Blocklist updated - 2012.07.10 ...

FYI...

246 malicious domains added...
- http://www.malwaredomains.com/wordpress/?p=2783
July 10th, 2012 - "A very large update consisting of 246 domains associated with malvertising, iframes, black hole exploits, etc. Sources include malwaredomainlist.com, sucuri.net, dynamoo.com..."

:fear::fear::spider:
 
Malware Domain Blocklist updated - 2012.07.16 ...

FYI...

Relisted Domains ...
- http://www.malwaredomains.com/wordpress/?p=2791
July 16th, 2012 - "Just went through a bunch of older domains and relisted almost 50 of them. Or do the bad guys wait and “lay low” with their domain until “the coast is clear” and once google safebrowsing delists them, they once again use the domain to serve up malware (Whack-a-Mole)? Do they have google APIs and check daily to see if their domain is delisted?... It’s like fast-flux except the time frame is months instead of minutes.:

:fear: :sad:
 
IntelliDownload malvertising...

FYI...

IntelliDownload (stopmalvertising.com)
- http://www.malwaredomains.com/wordpress/?p=2797
July 23rd, 2012 - "... article about IntelliDownload*...
* http://stopmalvertising.com/malware...-ads-and-spies-on-your-internet-browsing.html
Jul 20, 2012 - "... it doesn’t disclose that it will hijack advertisements on several major websites and replace them with ads from oadsrv .com, scrape your Facebook data, spy on your browser session and report every move you make on the web back to chango .com ..."

Please study the domains listed in the article and take appropriate action (the domains have -not- yet been added to this blocklist)."

:fear: :mad:
 
Malware Domain Blocklist updated - 2012.07.25 ...

FYI...

Java Exploit domains, trojans, rogues
- http://www.malwaredomains.com/wordpress/?p=2800
July 25th, 2012 - "A small but important update containing domains associated with Java exploits, rogue antivirus, trojans, and other malicious domains you don’t want visiting your computer or network. Sources include mwis.ru, malwaredomainlist.com, and urlquery.net..."
___

- https://blogs.technet.com/b/mmpc/ar...-from-java-based-malware.aspx?Redirected=true
25 Jul 2012 - "The last few months we have seen a drastic increase in Java-based malware abusing the CVE-2012-0507* AtomicReferenceArray type-confusion vulnerability. In addition to that, a few weeks ago, a new Java vulnerability was found (CVE-2012-1723)**; it is also a type-confusion vulnerability. The attack abusing this new vulnerability is also very active... The most effective measure against these vulnerabilities is -updating- your Java installation. To check the version of JRE your browser is running, visit following link:
http://www.java.com/en/download/installed.jsp ..."

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0507 - 10.0 (HIGH)
** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)

:fear:
 
Last edited:
Domain Blocklist update...

FYI...

RunForestRun DGA Update (update your Domain Blocklist) ...
- http://www.malwaredomains.com/wordpress/?p=2805
July 26th, 2012 in 0day, New Domains
> http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/
26 Jul 12 - "... a quick recap of the RunForestRun attack: It began in mid-June and infected many servers with Plesk Panel since then. Hackers used Plesk’s File Manager to inject malicious code (mainly) at the bottom of .js files..."

"RunForestRun has changed the domain generating algorithm (DGA), and now uses waw.pl subdomains (instead of .ru) in malicious URLs."

:sad: :mad: :fear:
 
Domain blocks/IPs to Block ASAP...

FYI...

Domains and IPs to Block ASAP
- http://www.malwaredomains.com/wordpress/?p=2825
August 9th, 2012 in 0day, sql injection - "Two posts from the Internet Storm Center:
> https://isc.sans.edu/diary.html?storyid=13864
SQL Injection Lilupophilupop style – Lists about a dozen domains you should immediately add to your blocklists plus more in Dynamoos blog*.
> https://isc.sans.edu/diary.html?storyid=13861
Zeus/Citadel variant causing issues in the Netherlands – Follow the links and block those IP addresses ..."

* http://blog.dynamoo.com/2012/08/more-malware-sites-to-block-on.html

:fear: :mad::mad:
 
Last edited:
More sites to block...

FYI...

More sites to block...
- http://blog.dynamoo.com/2012/08/even-more-malware-sites-to-block-on.html
13 August 2012 - "More evil sites to block on 194.28.115.150 (Specialist ISP*) following on from these:
idi42nga .rr.nu, kprud89entia .rr.nu, hin66gof .rr.nu, iste03dengi .rr.nu, hing30emplo .rr.nu,
ize84dso .rr.nu, ind42icat .rr.nu, lack33andw .rr.nu"
* http://blog.dynamoo.com/2012/08/yet-more-malware-sites-to-block-on.html
10 August 2012 - "... blocking access to 91.211.200.0/22 and 194.28.112.0/22 (Specialist ISP) plus -all- .rr.nu domains would be even better."

> http://blog.dynamoo.com/2012/08/scan-from-xerox-workcentre-pro-spam.html
13 August 2012 - "..."46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem..."

Something evil on 178.63.195.128/26
- http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html
13 August 2012 - "The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170. A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here*). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice... quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 178.63.195.128 - 178.63.195.191
address: RUSSIAN FEDERATION
178.63.195.163...
178.63.195.167...
178.63.195.168...
178.63.195.170...
178.63.195.171..."
* https://krebsonsecurity.com/2012/07/service-secures-domains-for-black-deeds/

:mad::mad::mad:
 
Last edited:
IPs to block - 2012.08.14 ...

FYI...

"Federal Tax" spam...
- http://blog.dynamoo.com/2012/08/federal-tax-spam-wireframegleeinfo.html
14 August 2012 - "... tax-themed spam leads to malware...

Date: Tue, 14 Aug 2012 15:21:33 +0200
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Rejected Federal Tax transfer
Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transaction
Tax Transaction ID: 38969777924999
Return Reason See details in the report below
Tax Transaction Report tax_report_38969777924999.doc (Microsoft Word Document) ...

... malicious payload... hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can."
___

"We can not charge your credit card" spam...
- http://blog.dynamoo.com/2012/08/we-can-not-charge-your-credit-card-spam.html
14 August 2012 - "... spam pretends to be from Amazon. Or UPS. Or perhaps both. Anyway, it leads to malware...

Date: Tue, 14 Aug 2012 05:26:05 +0200
From: "ups" [mail@ups.com]
Subject: We can not charge your credit card
Attachments: Amazon_Invoice.htm
Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible...

The attachment Amazon_Invoice.htm is malicious and it attempts to download a malicious script... hosted on the following IPs (which have all been used for malware distribution several times):
190.120.228.92
199.71.212.78
203.80.16.81 ..."

:mad::mad:
 
Last edited:
Malware Domain Blocklist updated - 2012.08.23 ...

FYI...

Outgoing network traffic & Malicious Activity
- http://www.malwaredomains.com/wordpress/?p=2831
August 23rd, 2012 - "SANs* has a nice write-up about analyzing outgoing network traffic to identify malicious activity. They list a bunch of ip blocklists and IP reputation sources.
(We’ve also had two updates since the last post**, busy at $Jobs...)"

* https://isc.sans.edu/diary.html?storyid=13963#comment

** http://www.malwaredomains.com/wordpress/?p=2829
August 14th, 2012

Also see: http://www.malwaredomainlist.com/mdl.php

Latest update: August 23, 2012 2:50 AM
- http://mirror2.malwaredomains.com/files/

:fear::fear:
 
Malware Domain Blocklist updated - 2012.08.28 ...

FYI...

Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains
- http://www.malwaredomains.com/wordpress/?p=2837
August 28th, 2012 - "Added domains associated with the Java 0-day, Blackhole Exploit Kit, and other badness. Sources include labs.sucuri.net, blog.fireeye.com, spamhaus.org..."

:fear::fear:
 
Malware Domain Blocklist updated - 2012.09.03 ...

FYI...

Java 0-day, Black Hole Exploits, and other malicious domains...
- http://www.malwaredomains.com/wordpress/?p=2843
September 3rd, 2012 - "... Updates on August 29th and Sept 1st contained domains associated with the Java 0-day, Black Hole Exploits, and other malicious domains (another today @ 1:12 PM*)... Sources include safebrowsing.clients.google.com, scumware.org, blog.dynamoo.com and others..."
* http://mirror2.malwaredomains.com/files/

:fear:
 
Malware Domain Blocklist updated - 2012.09.08 ...

FYI...

java exploit domains, rouge antivirus, malspam domains...
- http://www.malwaredomains.com/wordpress/?p=2852
September 8th, 2012 - "Added 101 new domains associated with Java exploits, malicious spam, sutratds, fake antivirus, etc. Sources include emergingthreats.net, google.com/safebrowsing, blog.dynamoo.com..."

:fear::fear:
 
Blocklist delistings - correction 2012.09.25 ...

FYI...

Site delistings - Blocklist correction ...
- http://www.malwaredomains.com/wordpress/?p=2871
September 25th, 2012 - "artconcoction.com has been delisted and will be removed on the next update. There is also a (big) mistake in the zone file, don’t wait for an update on our end; please -remove- safebrowsing.clients.google.com* from your zone files ASAP."

* NOTE to AdBlock Plus users: Un-check it in the AdBlock Plus Filter Preference listing.

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top