Feed

DNS-BH Update: New Malicious Domains

Posted on June 29th, 2008 in iframes,New Domains,sql injection by dglosser

New domains associated with malware, mostly new iframe/sql injection & asprox  domains. Sources: www.matchent.com, www.bloombit.com, www.emergingthreats.net:

adupd .mobi cnzytv .com
adwste .mobi conceptinvestin1 .com
adwsupp .com conceptinvestin2 .com
asp72 .com conceptinvestin3 .com
bank84 .com google-analyze .info
id746 .com hdadwcd .com
qq117cc .cn bnrupdate .mobi
cert83 .com kadport .com
cfm78 .com best-anti-virus .net
ckujcgxi .biz scholes-it .com
ckujcgxi .com sid36 .com
ckujcgxi .net supbnr .com
zcom .com suppadw .com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

New Iframe: google-analyze.info and iframer.pl

Posted on June 27th, 2008 in Domain News,iframes by dglosser

A new domain to block: google-analyze .info

See the following for more information:

http://www.webhostingtalk.com/showthread.php?p=5180521 and http://forum.joomla.org/viewtopic.php?f=267&t=301745&p=1329547

New sql injection/Iframe Domains

Posted on June 26th, 2008 in iframes,New Domains by dglosser

New domains associated with sql injection/iframes, mainly from  shadowserver. These domains should be immediately blocked!

app52 .com gogodownnn .com
appid37 .com downloaditrightnow .com
apps84 .com fast-viruscanner .com
asp707 .com hlpadw .com
aspssl63 .com hlpgetw .com
aspx49 .com ie-antivirus .com
base48 .com ieavdownloadstart .com
batch29 .com ilovethatdownload .com
bin963 .com j8j8hei .cn
bios47 .com lang34 .com
bnradw .com nopagedns .com
cid26 .com pingadw .com
dbupdr .com pingbnr .com
dl251 .com rdaceq .cn
heiheinn .cn rid34 .com
zzdrew .cn sdnalgae .com
free-viruscan .com st212 .com
getbwd .com tid62 .com
heihei117 .cn update34 .com
xfsare .cn update999 .cn
wav2008 .com westpacsecuresite .com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

New Iframe domains to block

Posted on June 25th, 2008 in iframes by dglosser

s3c-watch has a list of sql-injected iframe domains:

www .westpacsecuresite .com
bios47 .com
www .update34 .com
apps84 .com
chanm .cn

and others.

These domains, as well those listed on shadowserver’s site ll be added in the next update,  but you should not wait….

New Domains associated with Malware

Posted on June 24th, 2008 in New Domains by dglosser

New domains associated with malware, from various sources:

1d27c9b8fb.com 171dl.com
2373498294.cn wornm.cn
activeware.cn kukutrustnet777.info
biztech-co.cn kukutrustnet888.info
boywhole.com kukutrustnet987.info
describeenter.com 32376ohuuuhdss.net
fconnorlaw.cn 403236308.5166.info
grupogaleria.cn 444.wo1717.com
meanquiet.com asjdiweur87wsdcnb.info
microsofiz.cn paypal.client-confirmation.com
oceaninfo.co.kr zuoyouweinan.com
oftendollar.com industryexpect.com
optioner.cn metalmorning.com
pacoast.cn gondolizo18483.info
polkerdesign.cn tianjisuan.com
ratedhot.cn cadeaux-avenue.cn
yetresult.com tellicolakerealty.cn

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

Preventing SQL Injection

Posted on June 23rd, 2008 in iframes,sql injection by dglosser

A function that that does sanitizing of input for all inputted data: http://isc.sans.org/diary.html?storyid=4615

How To Immune Your Web Application and Database From Such Automated Attacks:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

Tip/Trick: Guard Against SQL Injection Attacks
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

Stopping SQL Injection and Crossing Over Cross-site Scripting
http://securitymasala.files.wordpress.com/2007/11/mano_paul_sqlinjandxss_catalyst_eu.pdf

Detection, defense, and identifying possible coding which may be exploited by an attacker:
http://www.microsoft.com/technet/security/advisory/954462.mspx

Stop SQL Injection Attacks Before They Stop You
http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

SQL Injection Attacks by Example
http://www.unixwiz.net/techtips/sql-injection.html

Finding SQL Injection with Scrawlr: http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

Here are some good articles on SQL Injection attacks and some tips on how to prevent them (watch wrap):

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

IFRAME/SQL Injection Resources

Posted on June 23rd, 2008 in Domain News,iframes by dglosser

SANS has a new article on the SQL injection attacks on ASP pages. They link to a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection.

A better alternative is to use a parameterized query. SANS links to several examples.

SANS sums it up best:

Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

IFRAME Domains to Immediately Block

Posted on June 19th, 2008 in iframes,New Domains by dglosser

IFRAME ALERT! Domains associated with iframes, from Shadowserver, Block these domains immediately!

qiqicc .cn fengnima .cn
adsitelo .com getadw .com
adwbnr .com hyperadw .com
alzhead .com jetadwor .com
bigadnet .com jetdbs .com
bnrcntrl .com jumpbnr .com
kk6 .us domaincld .com
chinabnr .com adjuncnet .com
chkadw .com tjwh202 .162 .ns98 .cn
chkbnr .com updatead .com
clickbnr .com updatebnr .com
clsiduser .com upgradead .com
clsidw .com dbdomaine .com
coldwop .com bnrcompro .com
datajto .com

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

DNS-BH Update: Zlob variants and fake codecs

Posted on June 16th, 2008 in fake codecs,New Domains by dglosser

New domains, mainly from Dancho Danchev’s Blog (who has some interesting things to say about backlisting malicious sites):

p-o-r-n-0.info 2008adult-s2008.com
stred.in pornotube-20008.com
stred.biz pornotube20008.com
adult-youtube-8.com s-soft08freeware.com
all-index.com scanner.shredderscan.com
bandateam.com sex-18tube-2008.com
bestxvids.info sex-tube-20008.com
carsfoto.ru sex-tube20008.com
wowtofree.info sexi18tube2008.com
coolsexmovies.net sextubecodec55.com
free-movie-xxx.net streamadultvideo.com
gold-collection.biz cheapest-pharmacy.com
google-network.net 2008adult2008.com
sexakaporn.com supersharebox.com
hotvidstube.com hot-pornotube2008.com
hqtube.com tubescollection.com
myflydirect.com tubeuniverses.com
tosserhost.com west-video-xxx.info
newcontent-s2008.com new-content-s2008.com
p-o-r-n-0.com xxxstreamonline.com
2008-adult-2008.com  

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format

61 New Domains to Block

Posted on June 15th, 2008 in New Domains by dglosser

 61 new domains associated with malware. Fake Codecs, an Iframe domain, rogue antivirus, and malware caught in the emerging threats sandbox.

Sources: the emerging threats sandbox, bharath-m-narayan.blogspot.com, ddanchev.blogspot.com, and others. As always, check the domains.txt for the original reference.

1yyyyxxxx.com jsactivity.com
63mv.cn liangminghao.cn
a9rhiwa.cn link3d.hyperphp.com
adultfriendster.info littlesoring.com
advabnr.com malwarrior2008.com
miloni.biz antispyware-reviews.biz
microgood.net microsoft-direct.net
as-cannabis.cn antispyware-review.biz
aviexecution.com mitfahr-portal.de
b2adz.com mooncodec.net
bannerbank.ru mpegupdate.com
bfkq.com newfax.net
csoftddl.com online-xpcleaner.com
orikuti.com dobrowsesecure.com
p0b0ts.com dd.c2.b1.a1.top.list.ru
dream2008.info passion.ru
durkadurka.cn pay4logs.net
e-orel.com rdzmtzbvsfby.com
ebibuy.com softobzor.net
ecunglllos.com toolbargate.com
efbkfqpcdh.com truesafetyrules.com
getsoftwarenow.info usoftserverbill.com
errorallhere.com entiremedianet.com
flwassistant.com winspywareprotects.com
gaher.info winspywarescanner.com
wever.biz ieantiavdownload.com
hint.fatal.ru wspsale.com
wspdl.com xn--mg-kka.com
imageshaack.org y0shi3.opendns.be
insidebar.co.kr youtube-r.com
youtube-s.com  

Help fight spyware: Join the Spyware Listening Post!

domains.txt file is the complete list along with original reference

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format