Feed

48 New Domains associated with malware (DNS Blackhole)

Posted on May 31st, 2008 in New Domains by dglosser

48 new domains associated with malware. Sources include: the emerging threats sandbox, ddanchev.blogspot.com, www.shadowserver.org.

1url .in phi6aym .biz
2pj5udv7 .cn phi6aym .com
3800vip .cn phi6aym .net
54417 .cn picturewest .com
61229 .com posestory .com
654x .cn pressrose .com
psp1111 .cn printlength .com
psp1122 .cn producemorning .com
cacb .net .cn ageofconans .net
catsharp .com kukutrustnet999 .info
effort08 .com qisihuisheng .net
feminice .com .br sabrina .ch
framemoney .biz accountsprivo .org
guccime .net ssreaader .cn
hokia8 .com .cn star-google .com
icafe88 .cn tongji123 .org
irc .friendhop .net topfe .cn
isee080 .net malwarepatrolpro .com
u5188 .cn union-0 .poco .cn
lkjrc .cn usabestsoftware .net
lowsmell .com o0o0o0 .dvrdns .org
vesidcxt .biz windowsupdatas .com
srjkc .cn womanht .info
patrizio .ch wudiliuliang .com
 

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

unlisted domain: adecn(dot)com

Posted on May 30th, 2008 in Domain News,Removed Domains by dglosser

adecn(dot)com has been unlisted. Please update your blocklists.

34 New Domains

Posted on May 28th, 2008 in New Domains by dglosser

34 new domains associated with malware. Domains are rogue antivirus and the usual SQL iframe domains. Sources include SANs and the Sunbelt Blog:

12-26.net ebtadejfqm.com
12-27.net ehagvzyfrt.com
513389.cn antivirus-2008pro.name
si-install.net sextubecodec93.com
antivirus-2008-pro.info easyfindsystem.com
antivirus-2008-pro.net spywareisodownload.com
antivirus-2008-pro.org spywareisopro.com
antivirus-2008pro.com spywareisoscanner.com
jj120.com spywarequarantine.com
zinaps.com vipantiscanner.com
antivirus-2008pro.org vipantispy.com
antivirus2008pro.info waytoprotect.com
antivirus2008pro.net xpdownloadcenter.com
antivirus2008pro.org xpprotectionsoftware.com
drivemyclick.com antivirus-2008-pro.com
eaelzkkodp.com antivirus-2008pro.net

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

DNS-BH Update: 34 New Malicious Domains

Posted on May 27th, 2008 in New Domains by dglosser

34 new domains associated with malware. Sources: the emerging threats sandbox, Symantec, SANs,  and others.

0novel .com fsupdate .cc
158dm .com google-analyticks .com
antimalwareguard .com google-analyticks .net
antispywareexpert .com googlebotdirect .com
antispywareexpertpro .com hbalr-cash .net
antivirus-scanonline .com hbblr-cash .net
bbaakemegood24 .com hbdlr-cash .net
bbbakemegood24 .com i1ii1ii11i .info
bbcakemegood24 .com ibxaxl-cash .net
bbdakemegood24 .com ibxbxl-cash .net
cbpcrfectchoice1 .com livewindowsupdate .cn
cbpdrfectchoice1 .com microsofpcenter71 .cn
dbcaah-ddt .net microsofttransfer .com
dbcach-ddt .net play0nlnie .com
dbcadh-ddt .net windowsupdeta .cn
dsfkjfs8i3jksdfj3hdds3jj3 .com woai117 .cn
food00 .net wuqing17173 .cn

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

New sites from the sunbelt blog

Posted on May 24th, 2008 in New Domains by dglosser

Some new domains from the sunbelt blog:

awmdev .com
cpaypal .com
crazycounter .net
exe-prod .com
foltax .com
fulldvd .org
gunbrethren .com
literaryaccess .com
master-x .info
nzpr .com
pclem .com
queenshussars .com
siriusinter .net
tocsite .com
trasferimento .biz

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

False Positive: bux.to

Posted on May 24th, 2008 in Domain News,Removed Domains by dglosser

Bux.to was added to the list because the Sohanad worm seems to contact that domain.

Bux.to asked us to reconsider the listing, and, after further review, we determined that the traffic to the bux.to domain was not malicious.

Therefore, the domain was delisted.

Remember, if there are any domains which you believe should not be listed, check the domains.txt file and determine why it was listed. Then contact us at malware3domains1@gmail2.com (remove all numbers) and constructively state why you believe the domain should be delisted.

Review and (if necessary) de listing usually takes less than 24 hours.

New Domains You Really Need to Block

Posted on May 23rd, 2008 in iframes,New Domains by dglosser

35 new domains you really need to block. Sources: emerging threats sandbox, new iframe injection domains from shadowserver, Bharath’s Security Blog.

001yl .com   jsjwh .com .cn  
111991 .net   just .fukin .go .a-w-a-y .org  
13175 .com   ka47 .us  
17173dl .cn   kvm-secure .com  
176fc957c .net   kvmsecure .com  
17ge .cn   msshamof .com  
427224 .com   okey123 .cn  
52-o .cn   pest-patrol .com  
99 .vc   qiuxuegm .com  
adw95 .com   sexpictures .co .uk  
aidushu .net   spywareiso2008 .com  
kaobt .cn   urkb .net  
bddr-cash .com   vipantisetup .net  
chliyi .com   virus-isolator .com  
dota11 .cn   virus-isolator .net  
fucksb .net   www60 .actualization .cn  
heartgames .cn   antivirus-scanner .com  
killpp .cn    
 

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

What to do if your domain is listed….

Posted on May 23rd, 2008 in New Domains by dglosser

Q. My domain is listed unfairly. How do I get my domain removed?
A. Remember that we are a reporting service. All of the data comes from external sources. None of the domains or sites listed on the DNS-BH lists come from data created here. So generally speaking to get off a list you should contact that data source as described in the domains.txt file.

Check other major antivirus and malware vendors to see if you are also listed there as well as the domains.txt file may not be the only location which lists your domain as malware or malicious.

Provide documented, third-party proof that these vendors have “delisted” your domain. Contact us after you’ve provided this information.

Threatening legal action or starting legal proceedings will result in a much longer delay in getting your site removed. The DNS-BH project is a volunteer non-for-profit project and blacklist operators are protected under U.S. Federal statute and case law 47 USC 230(c)(2)(B).

We have no wish to list a site unfairly. Although every effort is made to ensure the list is error free, mistakes can and will occur. We do not want to list anything that should not be listed. This list is not intended to block ad serving, or any other legitimate activity. It’s intent is to help network operators and others to identify and stop malware infections.

This list comes with no guarantees. We all have other full-time jobs. This is a completely volunteer effort as part of the fight against malware.

The average time between asking for a site to be delisted and the site actually being delisted (if warranted) is less than 24 hours.

Again, threatening legal action or starting legal proceedings will result in a much longer delay in getting your site removed.

If a domain is removed, it is still listed in the “domains.txt” file with a comment (#) in the first column but is not active.

Just to clarify – this has always been our policy, back when we were hosted on the bleedingsnort web site.

Another SQL Injection Domain: chliyi. com

Posted on May 23rd, 2008 in iframes,New Domains by dglosser

Shadowserver has updated his list to include www. chliyi. com and possibly others. Check his listing ASAP.

Will be added here on the next update.

IFRAMES are evil.

DNS-BH Latest Update

Posted on May 20th, 2008 in iframes,New Domains by dglosser

Added some new domains associated with malware, sources include the emerging threats sandbox, shadowserver (the sql iframe domains),  and Dancho Danchev’s Blog:

117275 .cn masedinkionderunhasdeun .com
5252 .ws mulher .feminice .com .br
aspx88 .com newsit .es
bank11 .net nihao112 .com
cleanspyware .co .kr nihaoel3 .com
cookie68 .com notlong .com
dll64 .com pcclear .co .kr
exportpe .net qiqi111 .cn
firestnamestea .cn qiqigm .com
see9 .us think-adz .com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format