Report on Fast Flux ZBot Network

Posted on June 10th, 2016 in Domain News,fastflux,News by ashinn

We’d like to let you know about a report on the crimeware using a fast flux ZBot network.

“A commercially driven fast flux network is facilitating criminal activity such as malware, spam bots, ransomware, carder sites and more…Often, new domains join this botnet only a few days or at most, weeks apart. Some domain names have remained associated with the network for months or years. Parts of the botnet use frequently changing DNS NS records as well as DNS A records. This is generally regarded as “double flux” activity — another layer in hiding the network.”

You can read the full report here: ow.ly/pGEG3012Pe0

Tools and Standards for Cyber Threat Intelligence Projects

Posted on October 24th, 2013 in New Domains,News,Off Topic by dglosser

A new whitepaper by SANs:

Tools and Standards for Cyber Threat Intelligence Projects

Interesting reading, especially Page 11 :)

Using DNS Logs As a Security Information Source

Posted on May 24th, 2013 in News by dglosser

Using DNS Logs As a Security Information Source :



Analyzing DNS Logs Using Splunk

Posted on July 7th, 2012 in Domain News,News by dglosser

Interesting article on Analyzing DNS Logs Using Splunk and being able to identify if  splunk sees a DNS lookup for a known bad domain name.

Again, if you use our data as this article does, do not pull the zone file more than once every 12 hours or you will be banned.  Better yet, check to see if the file has changed first (such as via a wget option) BEFORE pulling the zone file. And please DONATE if you consider the list useful.  A years worth of donations does not even equal one month’s hosting and infrastructure costs and we are not sure how much longer we can continue to pay these expenses out-of-pocket.

Article here: http://www.stratumsecurity.com/2012/07/03/splunk-security/


Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

Research Articles

Posted on September 26th, 2011 in News by dglosser

Occasionally this list is used as part of research into malware and domain security.   Please drop us a note if you find such a reference in an article or presentation; if you are the author, let us know.

Two papers we’ve become aware of:

Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games - http://www.cc.gatech.edu/~ynadji3/docs/pubs/gzaraid2011.pdf

A Demonstration of DNS3: a Semantic-Aware DNS Service – http://iswc2011.semanticweb.org/fileadmin/iswc/Papers/PostersDemos/iswc11pd_submission_106.pdf

Safe Browsing Alerts for Network Administrators

Posted on September 29th, 2010 in News by dglosser

From http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html

Today, we’re happy to announce Google Safe Browsing Alerts for Network Administrators — an experimental tool which allows Autonomous System (AS) owners to receive early notifications for malicious content found on their networks. A single network or ISP can host hundreds or thousands of different websites. Although network administrators may not be responsible for running the websites themselves, they have an interest in the quality of the content being hosted on their networks. We’re hoping that with this additional level of information, administrators can help make the Internet safer by working with webmasters to remove malicious content and fix security vulnerabilities.

To get started, visit safebrowsingalerts.googlelabs.com.

SwineFlu Domains

Posted on April 28th, 2009 in News by dglosser

F-Secure has just published a list of Swineflu related domains.  You can be sure some will will be used for spam or serve up malware:


Obviously, use extreme caution when accessing these sites or clicking on links in emails related to the swineflu.

Source: http://isc.sans.org/diary.html?storyid=6280

You may want to caution your users about clicking on these links or proactively add them to your own blocklist.   Domains will only be added here once they  have been verified to be malicious.


Posted on August 21st, 2008 in News by dglosser

MaraDNS has a reputation as one of the most secure DNS servers available.

Alexander Clouter <alex – at – digriz.org.uk> has created a script to create MaraDNS compatible zone files. It’s located at http://www.malwaredomains.com/files/createmaradns-pl.txt (change the extension to .pl). Please try it out and give us feedback. Thanks to Alexander for his hard work!

Cross-Site Scripting

Posted on August 18th, 2008 in News by dglosser

Search on  www.xssed.com and make sure your site is not listed as a site vulnerable o cross-site scripting (XSS)*

*Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. (Source: http://en.wikipedia.org/wiki/Cross-site_scripting)