Feed

malware blocklist: 66 new domains

Posted on July 29th, 2008 in asprox,fake codecs,iframes,New Domains,rogue antivirus,sql injection,Storm Worm by dglosser

asprox domains, “copycat” sql injection domains, storm worm domains, and a few rogue antivirus sites.

Sources include ddanchev.blogspot.com, www.sudosecure.net, mtc.sri.com, and others:

8591tw .com ncb2 .ru
njep .ru nimolp .net
oics .ru antivirusxp-08 .com
91tg .net alparslanovayurt .com
asmworm .com rid72 .co .uk
asp32 .co .uk sec82 .co .uk
atmacasoft .com smartnewsradio .com
avxp-08 .com ssl62 .co .uk
b4so .ru stocklownews .com
gggjjj .info antivirusxp-2008 .com
uid45 .co .uk toplessdailynews .com
bjxt .ru toplessnewsradio .com
bnsr .ru fednewsworld .com
bosf .ru wapdailynews .com
bsko .ru web58 .co .uk
cid82 .co .uk winxp-antivirus .com
tag38 .co .uk 50db34d5 .info
rm510 .com 51113 .com
dl87 .co .uk goodnewsgames .com
633f94d3 .info hyper-space-fuel .ru
63afe561 .info bestvaluenews .com
fethard .biz 8d77b42a .info
ad9178 .com companynewsnetwork .com
ads002 .net baltikaredison .ru
cn3721 .org ebookfinaltrash .ru
freefl .info grepware-facility .ru
idcads .info content-type .cn
jbeegvia .ru efreesky .com
kj5s .ru guerrero-tuning .com
sb941 .com koromanskipart1 .ru
logisigns .net goodnetads .org
mode82 .co .uk gronxplanets .ru
5iyy .info codechost .com

Contact us if you want to help us keep the Malware Blocklist current.

domains.txt file is the complete list along with original reference.

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format
Also available in AdBlock and ISA formats!
Now a trusted source on the WOT-the Web of Trust!

Domain Removal

Posted on July 28th, 2008 in Domain News,Removed Domains by dglosser

adult-empire .com was just removed from the active list.  Siteadvisor does not report any active malware on this site.

More SQL Injection

Posted on July 28th, 2008 in Domain News,sql injection by dglosser

Dancho Danchev reports a copycat SQL Injection in the wild. Block the following domains ASAP:


5iyy .info
content-type .cn
63afe561 .info

633f94d3 .info
8d77b42a .info
5iyy .info
idcads .info
efreesky .com
freefl .info
gggjjj .info
ads002 .net
goodnetads .org
51113 .com
update999 .cn
50db34d5 .info

cn3721 .org
rm510 .com
sb941 .com
ad9178 .com
91tg .net


(domains will be added during the next update, but you should not wait).

Sources: http://forum.kaspersky.com/lofiversion/index.php/t74890.html and http://ddanchev.blogspot.com/.

DNS-BH Update: 58 new domains

Posted on July 26th, 2008 in asprox,Domain News,fake codecs,rogue antivirus,sql injection,zlob by dglosser

Some ASProx domains, zlob domains, trojan domains, and fake antivirus domains. . Sources include www.malwaredomainlist.com, bharath-m-narayan.blogspot.com, www.shadowserver.org, and others:

1212l112 .net irxxv .com
kodj .ru iwillseethatvideo .com
345bi .cn 2008-adult-s2008 .com
a-n-k-o-r .com best-freeware2008 .com
adnsline .com lvorgucci .net
pfd2 .ru manswar .commalware
po4c .ru mpegstandard .com
nmr43 .ru formatmpeg .com
ns-ok .com best-soft-maxi .com
asgates .com nihao29 .cn
bce8 .ru anvimaster .com
nemr .ru anvi-scanner .com
kjwd .ru otherhomepage .com
blackhei .cn allsecurenews .com
lksr .ru almamama .com .cn
ch35 .ru pvs360 .com
dajao .cn qwgates .com
daoqaz .cn rkjhc .cn
dcads .biz secureshortcuts .com
ncwc .ru sky8000 .com
herezh .cn uswow2 .com
infomm .cn web678 .com .cn
iroe .ru windows-virus-scanner .com
j1bc .cn wooollstx .cn
jackkk .cn yibanle .cn
jve4 .ru youlaiyou .net
k1ks .cn zerolost .org
kpo3 .ru zfzuguo .cn
kr92 .ru browseroption .com

Contact us if you want to help keep the Malware Blocklist current.

domains.txt file is the complete list along with original reference.

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format
Also available in AdBlock and ISA formats!

SQL Injection Finder

Posted on July 25th, 2008 in asprox,Domain News by dglosser

Codeplex   has released an interesting tool called SQLInjectionFinder.

It helps to  determine .asp pages targeted by recent SQL Injection attacks. You launch it on your IIS machine, it reads your IIS logs, and creates a log of suspicious entries. Sounds like something which should be run on a regular basis on any IIS-based server.

WOT-Web of Trust

Posted on July 24th, 2008 in Domain News by dglosser

WOT is a free Internet security addon for Firefox and IE that protects you against online threats like malware, scams, unreliable shopping sites and spam. The WOT community helps make the Internet safer by sharing their experiences of websites and the services they offer.

We are happy to report that we have been added as a  trusted soure to the WOT ratings database.

More ASPROX, SQL Injection, and Money Mule Domains to block

Posted on July 23rd, 2008 in asprox,Domain News,fake codecs,rogue antivirus,sql injection by dglosser

Shadowserver has a nice text page of the latest sql injection domains. s3cwatch lists a few more. And ddanchev has a nice article on the money mule recruitment domains also utilizing the asprox fast-flux domains:

asp8 .tk drpoex .com
bts5 .ru ecx2 .ru
eoai114 .cn cash-transfers .eu
jzm010 .cn cashtransferz .com
kc43 .ru cashtransferz .eu
cfm3 .eu win-defender .com
cgt4 .ru lang85 .tk
chds .ru liwejr .cn
cvsr .ru ll80 .com
date-21 .net nudk .ru
dns71 .eu nwolb .co .uk .dns71 .eu
sec8 .eu vav-scan .com
ssl28 .eu verynx .cn
o1o2qq .cn viruses-scanonline .com
kgj3 .ru  

Contact us if you want to help keep the Malware Blocklist current.

domains.txt file is the complete list along with original reference.

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format
Also available in AdBlock and ISA formats!

ASPROX Toolkit

Posted on July 22nd, 2008 in asprox,News by dglosser

Sentinal IPS has released a new version of their ASProx Toolkit. This toolkit had T-SQL code for cleaning infected databases and  URLScan configuration instructions for catching injection attempts.  Read about it here.

50 New Domains to Add to your Malware Blocklist

Posted on July 18th, 2008 in asprox,Domain News,iframes,rogue antivirus,sql injection by dglosser

50 New Domains to Add to your Malware Blocklist. Some sql injection domains from shadowserver, domains caught in the emerging threats sandbox, and others.

232313 .cn ibxcxl-cash .net
4cnw .ru ibxdxl-cash .net
90mc .ru iogp .ru
998flash .cn jbalafhkewo7i487fksd .info
jvke .ru jbalbfhkewo7i487fksd .info
adwbn .ru jbalcfhkewo7i487fksd .info
adwr .ru jbaldfhkewo7i487fksd .info
bcash-ddt .net advancedxpdefender .com
bddr-cash .net bmakemegood24 .com
keec .ru bperfectchoice1 .com
bnrc .ru cbparfectchoice1 .com
keje .ru licensingvideo .com
cashtransfers .eu cbpbrfectchoice1 .com
cashtransfers .tk lodse .ru
lkc2 .ru movieexternal .com
vcre .ru rcdplc .ru
d5sg .ru fastupdateservice .com
estplanete .com sdkj .ru
estvirtuel .com sid57 .tk
rrcs .ru sslwer .ru
fixproblems .ru type53 .eu
fixredirector .ru uinticket .net
gb53 .ru xpsecuritycenter .com
h23f .ru veryhodownload .com
jex5 .ru xnibi .com
 

Contact us if you want to help keep the Malware Blocklist current.

domains.txt file is the complete list along with original reference.

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format
Also available in AdBlock and ISA formats!

Asprox and Storm Worm Domains

Posted on July 17th, 2008 in asprox,iframes,sql injection,Storm Worm by dglosser

Some ASPROX SQL injection domains and storm worm domains to add to your blocklists.

Sources include www.dynamoo.com/blog/, www.sudosecure.net and others:

addrl .com americanmedicalguide .eu
adpzo .com advancedcaremedical .eu
korfd .ru medicalhealthdeath .eu
aetopoulos .de medicaljobsgroup .eu
lovelifecash .com medicalworldinc .eu
bphostdomains .com medicalworldlink .eu
brcporb .ru onlineregistryscan .org
btoperc .ru themedicalmarket .eu
cdport .eu updates .advert-network .com
fixaserver .ru verynicebank .com
gbradde .tk wellnesssurgical .eu
gitporg .com win-x-defender .com
grtsel .ru womenmedicalcenter .eu

Contact us if you want to help keep the Malware Blocklist current.

domains.txt file is the complete list along with original reference.

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND format
Also available in AdBlock and ISA formats!