Feed

DNS-BH Update: New Zlob Domains

Posted on April 29th, 2008 in fake codecs,New Domains,zlob by dglosser

New zlob domains, mainly from
Jahewi’s
List of active fake codecs and other misleading ZLob-installers :

adult-freetube-8 com hotvideostube com
ioprd net ieantivirus com
avidirection com malwarebellagreement com
qpack cn mehmetciklerimiz com
borar net movhelper com
celdasdecarga info movutility com
dolcevido com mynetwork hk
dult-porn-4u com online-dvdrip com
fastmp3player com porcacom-dfd info
free-adult-porn-4u com pornwizardry com
free-porntube-8 com sexcodecstars com
uytie net verifiedpaymentsolutionsonline com
grayreseller com videoxxx-emy info
haoliuliang net widget-porn com
hdtv-onlinerip comv windowsxp-privacy net
hotcodecadultgs com zeynczuhei7 cn
hotstars2008-17 com bighot18-codec2008 com
njhgf net atreides-technologies info
globalsoftwareagreement com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Over 180 Coolwebsearch Domains Added

Posted on April 27th, 2008 in New Domains,rogue antivirus by dglosser

Added over 180 new domains associated with malware, mainly from the coolwebsearch list at webhelper:

spywarelist info psbill-help com
eaoafir com psbill-query com
fbcmfir com psbill-sh com
fgv2fir com psbill-support com
pharmacy-4you biz caixa nexenservices com
pharmacy-4you org pharmacy-online-search com
pharmacy-for-u net safe-strip-download com
spywarelocker com safe-strip-secure com
pharmacy-supplier com safe-strip com
pharmacy-w org safeapplications com
pharmacytop10 net safeinstuctions com
pharmalife info safeonebar com
pharmarcworld com safeprojects com
pharmasn com safesurf2006 com
pharmcydirctory com safetydefender com
pharmcydirctory info safetydownload com
pharmdoctormed info safetyeachday com
pharmdoctoronline info safetyhall com
philsdomains com safetyhomepage com
pillname info safetyincludes com
pills-pharmacy net safetyonlinepage com
pills2day com safetysettings com
pillsn com safetyuptodate com
pillstree com safetyuptodate net
pilot-porn com secure-search net
porn-comp com secure-update info
porn-focus com secure bucksbill com
porn-look net secure filesdepot us
porn-matures com secure pandora-software com
porn-pleasure net secure sellmostoft net
porn-poster com secureaddons com
porn-server org securecleaner com
porn-the net secureguidance com
porn-view com securelifetime com
porn2world info securemanaging com
pornbrake com securenetwork2000 com
porncannabs com secureonly com
porncrew net securepcclean com
pornjango com securepcguard com
pornkingmovies com securepcnaki com
pornlesteen info securesoftwarelist com
pornmagbucks com securewebinfo com
pornmaggalleries com securewebnews com
pornmagpass com security-bancochile com
pornmai com securitybrochure com
pornmovieshell com securityfeature com
pornmovsonline com securityiepage com
pornnewsdaily com securityindex net
porno-babe com securityinfohere com
porno-private com securityprecaution net
porno-tds com securitysafeguard com
porno2u net securitysafeguards net
porno4teen com skzinfos com br
pornobookmarks net spy-destroyer com
pornochick net spy-eliminator com
pornochunk com spy-out com
pornocruto es spy-partners com
pornodroid com spy-shredder com
pornofarmer com spyanalyst com
pornogals org spyaway2007 com
pornograb com spyaxeupdate com
pornoguns com spybitch com
pornoheros com spycrush biz
pornoinfosn com spydefenderpro com
pornomagnat com spydefenders com
pornosn com spygangsta com
pornostockings net spyguardpro com
pornothumbgals com spyofficer com
pornozver com spyschutz com
pornpopular com spyware-help1 com
pornshemales net spyware-help2 com
pornshredder net spyware-help3 com
pornsitefarm com spyware-help4 com
pornslutfuck com spyware-help5 com
pornspital com spyware-software1 com
pornspying com spyware-software10 com
pornstargalore net spyware-software11 com
pornthefilm com spyware-software12 com
pornthum com spyware-software13 com
porntimeguide com spyware-software14 com
porntubesite com spyware-software15 com
pornvideosteens com spyware-software2 com
porono org spyware-software3 com
portal-porn com spyware-software4 com
portal-porno net spyware-software5 com
psbill-bs com spyware-software6 com
psbill-cs com spyware-software7 com
psbill-hd com spyware-software8 com
psbill-help-desk com spyware-software9 com
psbill biz spyware-sweeper net
psbill com spyware-wiper com
spyware-wizzard net spywaredisinfector com
spywarealaram com spywareextermination com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

BH-DNS Update: New Domains

Posted on April 25th, 2008 in iframes,New Domains,zlob by dglosser

21 new domains associated with malware:

adserv cn officedepott com
adserver cn onlinesoftwarexchange net
asfadaptation com privacy-watcher com
cavalldemar org softworldnetwork com
cmjmachining com softworldnetwork2 com
freese-x net trafflow com
getadultaccess com ultraticket net
ini7 com w-w-w-dot-com com
joytravel com winspywareprotect com
kkwyx com wmvassistant com
microsofpsupports cn  

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

List Cleanup

Posted on April 24th, 2008 in Domain News,News by dglosser

66 domains were deleted due to duplicates or false positives. Check out the “diff” file in the http://www.malwaredomains.com/files directory for more details.

Snort Malware Domain Rules

Posted on April 23rd, 2008 in Domain News,News by dglosser

The Autoshun project has a set of snort rules based on the bhdns domains listed here:

They also have snort rules to alert on communications with one of the known storm C&C addresses and other interesting malware resources.

Stop Malware with ISA 2006

Posted on April 22nd, 2008 in Domain News by dglosser

Chris at syncio has written a tool to import our domains.txt file into ISA as a URL or DNS set.

http://sync-io.net/go/www/Files/ISA_MalwareDomains_Binary.zip

They also have other nice resources, such as a Malware Identification Guide.

Thanks to Chris and syncio.

EMERGENCY UNLIST: psmtp.com

Posted on April 21st, 2008 in Domain News by dglosser

Please update your files ASAP.  A legit domain, psmtp.com was listed incorrectly. REMOVE IT IMMEDIATELY or download the files once again.

This is why it this list should only be loaded on a secondary/caching DNS server which are used by end-users ONLY.   Incorrect listings can and will occassionally happen.

DNS-BH Update: New Malicious Domains

Posted on April 19th, 2008 in fake codecs,New Domains,rogue antivirus,zlob by dglosser

New domains associated with malware. Sources include: Malware Domain List, Castlecops, Ddanchev’s Blog, Bharath’s Blog.

10wip com secureinstruct com
163500 net serial43 in
868wg com server52 org
9cdn com service28 biz
all1info biz set45 net
caatadgouk com setup36 com
cdpuvbhfzz com sforge info
ckabc net share73 com
downloadbf com shell54 com
droeang net sid95 com
flwcoupler com gooqle-analytics com
fockfock com siteid64 com
site83 net softhomepage com
haoqq1680 com swfutility com
id759 com tag38 com
malwarebell com tapki cn
managedns404 com trafagon cn
niche-planet com updatemysettings net
panel911 com wacsy com
particepation com we-search-for-you info
pcleanser com westminsterakron com
psmtp com www05 net
safetyalertings com xml52 com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

SQL Iframe Injection resources

Posted on April 17th, 2008 in Domain News,iframes by dglosser

Tens of thousands of legitimate websites have been compromised and  have code add which will direct visitors to malicious websites. These iframes are smilar to the following (obfuscated, periods replaced with spaces):

  • <script src=”hxxp://www aspder com/1 js”> </script>
  • <script src=”hxxp://www 414151 com/fjp js”></script>
  • <script src=”hxxp://www nihaorri com/1 js”> </script>

Other domains used include:

banner82 com> wowgm1 cn direct84 com
wowgm2 cn> killwow1 cn wowyeye com
vb008 cn> 9i5t cn computershello com

A large number of these iframes being inserted into code is due to sql injection through a form or querystring. All forms and querystrings need input checking and validation.

Here are some forum posts from other website owners who are discussing this:

http://forums.iis.net/p/1148917/1867511.aspx

http://wooway.spaces.live.com/blog/cns!901DBAB8922809A5!1779.entry

http://www.webhostingtalk.com/showthread.php?t=686032

http://www.webhostingtalk.com/showthread.php?p=5064963

http://forums.iis.net/p/1148917/1867622.aspx

http://www.greensql.net/

http://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html

http://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html

There are even automated tools the BadGuys use to discover vulnerable web sites. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on a web site.

Here are some good articles on SQL Injection attacks and some tips on how to prevent them (watch wrap):

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

Malware Blocklist: 52 new domains

Posted on April 15th, 2008 in New Domains by dglosser

52 new domains associated with malware. Sources: webhelper, and a new resource, SRI Malware Threat Center:

aspder com expressdeal biz
igxdfdfds com expressdeal info
evisolution com expressdist com
extasycodec com
ew-fg org extra-ticket com
ew-financegroup org extra-video org
ewfg org extrablow com
eworkingout info extrime-list com
exbugger com ezdialeronline com
exchange-craps info ezstyler com
exchange-keno info ezycontract com
exchange-poker info ezzuz com
exchange-roulette info f-mf org
exchange-wm com f1del in
exchangegauge info f1del net
exchangejackpots info facial-splash com
exclusivelink net facking-glamour com
exerevenue com fackinginnocents com
exetrafflc com factor-free info
exflood net factor-treatment info
eximiousinvest com factorcommission info
expandvideo com hot-adulttube08 com
explode name proxy-socks net
exploitoff net scorti1 dns2go com
export-porno net siliconfireware ru
exportporn net bighot18codec2008 com
ezgog info

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format