ASPROX Toolkit

Posted on July 22nd, 2008 in asprox,News by dglosser

Sentinal IPS has released a new version of their ASProx Toolkit. This toolkit had T-SQL code for cleaning infected databases and  URLScan configuration instructions for catching injection attempts.  Read about it here.

List Cleanup

Posted on April 24th, 2008 in Domain News,News by dglosser

66 domains were deleted due to duplicates or false positives. Check out the “diff” file in the http://www.malwaredomains.com/files directory for more details.

Snort Malware Domain Rules

Posted on April 23rd, 2008 in Domain News,News by dglosser

The Autoshun project has a set of snort rules based on the bhdns domains listed here:

They also have snort rules to alert on communications with one of the known storm C&C addresses and other interesting malware resources.

Holy IFRAME Batman!

Posted on April 3rd, 2008 in News by dglosser

Holy IFRAME Batman! I always wanted to say that ;)

My Christmas List:

I wish that browsers would
a)ignore all iframes not from a different domain than the base domain.
b)ignore any obfuscated javascript (or at least the stuff which seems malicious–if that’s possible)

I wish that all web crawlers (such as google) would:
a) not index any sites which contain obfuscated javascript (or at least the stuff which seems malicious–if that’s possible)
b) not index (or place a warning) on any site which contains an iframe calling content from a different domain.

I wish that all web servers would:
- have an option to ignore any IFRAME statements when displaying back to the browser. So even if a site was hacked and an iframe injected into the code the web server would simply ignore it and not even send it to the end-user’s browser…

There’s just way to much maliciousness with iframes and way too much obfuscated javascript out there….. Iframes are evil. I found someone who agrees with me.

Massive IFRAME SEO Poisoning Attack (from Dancho Danchev)

Posted on March 28th, 2008 in Domain News,New Domains,News,rogue antivirus,zlob by dglosser

Dancho Danchev’s blog contains netblocks and domains which are involved in the continual IFRAME SEO Poisoning Attack. The latest attack successfully injects IFRAMES forwarding to the rogue security software and Zlob malware variants. Domains include:

mynudedirect(dot)com (already listed)
gift-vip(dot)net (already listed)
e.pepato(dot)org (already listed)
webmovies-b(dot)com, vipasotka(dot)com, golnanosat(dot)com, d08r(dot)cn and others (not yet listed- you should block ASAP. )

netblocks and IPs to block (which include multiple class-c’s) are located in his blog

Emerging Threats Sandnet

Posted on January 17th, 2008 in News by dglosser

The Emerging Threats Sandnet is back online!

This sandbox is one of the best sources of new, active  domains for the DNS-BH list as well as fresh snort signatures.

If you have any malware samples, links, spam, etc please send them to samples – at – emergingthreats(dot)net

Malware and ARP Spoofing

Posted on January 16th, 2008 in News by dglosser

Websense has an eye-opening writeup on how some malware is now using ARP cache-poisoning and making the infected machine into an HTTP proxy server. Poof! Your entire network is poisoned! Castlecops has a writeup from someone in China who has experienced this first hand: Machines which are declared clean by multiple AV products still suffer from the IFRAME. Yikes!