Feed

NBC.com redirecting to Exploit kit

Posted on February 21st, 2013 in 0day by dglosser

From https://isc.sans.edu/:

the NBC[.]com website is redirecting to malicious websites that contains exploitkit.
At this point it seems like most of the pages contains an iframe that is redirecting to the first stage of the RedKit exploit kit.
Some of the iframes :

hxxp://www.jaylenosgarage[.]com/trucks/PHP/google.php
hxxp://toplineops[.]com/mtnk.html
hxxp://jaylenosgarage[.]com

We’ll add these iframe domains tonight but you should not wait

 Update: more complete list of domains here  –>> http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-malware.html

142 malspam, iframe, joomla exploit, malicious domains

Posted on December 11th, 2012 in 0day,exploit,iframes,malspam,New Domains by dglosser

Added 142 domains associated with malspam, iframe/joomla exploit. Sources include safebrowsing.clients.google.com, blog.dynamoo.com, labs.sucuri.net (all sources are listed in our domains.txt file.)

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be bannedUse wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

Joomla (and WordPress) Bulk Exploit ongoing

Posted on December 10th, 2012 in 0day by dglosser

Sans reports that there is an ongoing bulk Joomla and WordPress exploit, complete with iframes pointing to Fake AV.

If anyone has seen a published list of the FQDN’s involved in this, please let us know so we can add those domains here.

Update: The issues with the zone files seem to have been resolved and some of the domains used in this exploit have been added to the blocklist

 

Several Sept Updates

Posted on September 16th, 2012 in 0day,BH Exploit Kit,malspam,malvertising,New Domains,rogue antivirus by dglosser

Been so busy updating the malware blocklists forgot to update the blog. Recent updates added domains associated with the Java 0day, Black Hole Exploits, etc.   all sources are listed in our domain.txt file.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

 

Godaddy DDoS Attack

Posted on September 10th, 2012 in 0day by dglosser

java exploit domains, rouge antivirus, malspam domains…

Posted on September 8th, 2012 in 0day,BH Exploit Kit,malspam,New Domains,rogue antivirus by dglosser

Added 101 new domains associated with Java exploits, malicious spam, sutratds, fake antivirus, etc. Sources include www.emergingthreats.net, www.google.com/safebrowsing, blog.dynamoo.com  (all sources are listed in our domain.txt file.)
* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…
We also have a mirror dedicated to research and Open Source Projects – please contact us for details.
NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

Two updates

Posted on September 3rd, 2012 in 0day,BH Exploit Kit,New Domains by dglosser

Been so busy updating the malware blocklists forgot to update the blog. Updates on August 29th and Sept 1st contained domains associated with the Java 0-day, Black Hole Exploits, and other malicious domains you don’t want visiting your desktops or network. Sources include safebrowsing.clients.google.com, www.scumware.org, blog.dynamoo.com and others (all sources are listed in our domain.txt file.)

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

 

Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains

Posted on August 28th, 2012 in 0day,BH Exploit Kit,exploit,New Domains by dglosser

Added domains associated with the Java 0-day, Blackhole Exploit Kit, and other badness. Sources include labs.sucuri.net, blog.fireeye.com, www.spamhaus.org  (all sources are listed in our domain.txt file.)

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

Domains and IPs to Block ASAP

Posted on August 9th, 2012 in 0day,sql injection by dglosser

Two posts from the Internet Storm Center:
SQL Injection Lilupophilupop style –Lists about a dozen domains you should immediately add to your blocklists plus more in Dynamoos blog.

Zeus/Citadel variant causing issues in the Netherlands – Follow the links and block  those IP addresses

 

 

 

RunForestRun DGA Update

Posted on July 26th, 2012 in 0day,New Domains by dglosser

http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/

RunForestRun has changed the domain generating algorithm (DGA),  and now uses waw.pl subdomains (instead of .ru) in malicious URLs.

Update: the full list of predicted domains is here:  http://pastebin.com/8tfexYE3