Feed

About.US RFI

Posted on November 30th, 2011 in General Security by dglosser

According to this report, the domain registrar “about.us” is completely compromised with RFI (Remote File Inclusion) scripts  exploiting the WordPress TimThumb vulnerability.

Big Update – android malware, bhexploitkit, malspam domains

Posted on November 28th, 2011 in malspam,malvertising,MoneyMule,New Domains,zeus by dglosser

Added 156 domains associated with “LockEmAll”, Malspam, Seus, BH Exploit Kit, Android Malware and more…. Sources include blog.dynamoo.com, malc0de.com, www3.malekal.com, xylibox.blogspot.com… Every source is  listed in the domains.txt file)…

Reminder: the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Black Hole, Cridex, Drivebys, Trojan Domains

Posted on November 24th, 2011 in Spyeye,Trojans by dglosser

Add domains associated with Cridex, trojans, drive-bys. malicious javascript and more. Sources include www.securityhome.eu, www.spamhaus.org, malc0de.com

Every source is  listed in the domains.txt file)…

Remember, the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Malvertisers, Zeus, BH Exploit Domains…

Posted on November 21st, 2011 in malvertising,New Domains,RBN,Trojans,zeus by dglosser

Malicious domains associated with trojans, backdoors, BH  Exploit Kit, RBN malvertisments were added. Sources include www.malwareurl.com, xylibox.blogspot.com, scrapbook.zscaler.com, malc0de.com

OT: “But it’s Encrypted”

Posted on November 18th, 2011 in General Security,Off Topic by dglosser

At my “real job”,  I’m constantly getting push back from users,  ops people (netadmins sysadmins, etc) and developers about security.  For example:

  • “This isn’t the pentagon”
  • “We can’t do our work”
  • “But it’s encrypted and the key is only by two different people”
  • “You say it’s an security issue but we haven’t been hacked so far so how much of a risk can it be”

At first glance, of these statements seem valid and reasonable (especially when it’s presented to upper management).

When management comes to you with these statements,  these needs to be simple, concise answers (maybe two, for both technical and non-technical users)

How many of you have received these arguments from users?
What other arguments have you received?
How have you responded?   (especially if you “won” the argument and convinced the user and manager)

We’ll collect the responses and summarize. Email us at 12malware8domains789@32gmail33.com33 (remove numbers)

Small but important update

Posted on November 15th, 2011 in iframes,New Domains,Trojans by dglosser

A small but important update… Domains associated with cve-2011-2140, fast-flux botnets, malicious iframes, etc. were added. Sources include blog.sucuri.net, malc0de.com, dasient.com and others. (Every source is  listed in the domains.txt file)… Remember, the mirror for compressed zip files is up and running – please contact us for details – right now it has very little usage.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Bash commands to detect script injections and malware

Posted on November 14th, 2011 in Domain News by dglosser

This was posted a while ago on stopbadware and it’s too good not to repost…

find . -name “*.js” | xargs grep -l “eval(unescape”
find . -name “*.php” | xargs grep -l “eval(base64_decode”

The first one will find any javascript file that contains the string “eval(unescape” which is the most common way of injecting malicious code. The second is a similar method for PHP files. (Source: https://badwarebusters.org/stories/show/20712)

If you run a CMS, making this a “cron” script to run on a regular interval may not be a bad idea* .. (Note: Linux only… If anyone is running the equivalent commands on windows, please let us know)

* In addition to using a “sitecheck” service like sucuri or qualys.

Immortal Domains

Posted on November 14th, 2011 in Domain News,immortal,New Domains by dglosser

We just finished recertification of 237 long-lived, “immortal” malware domains.

These are domains which continue to actively serve malware for months if not years.
Some of these domains have been active here for more than two years.

Of those 237 domains, 34, or less than 15% were removed.

That means that over 85% of these long-lived domains are truly “bulletproof”, and  have remained  actively malicious for over two years.

The list of those few removed domains is here: removed-domains-20111112.txt

List of these “immortals”  is here: immortal_domains.txt

htaccess redirects, malicious iframes, malvertising domains

Posted on November 12th, 2011 in iframes,malvertising,New Domains by dglosser

Added domains associated with malvertising, malicious javascripts, malicious iframes, htaccess redirects and more. Sources include vxvault.siri-urz.net, www.hphosts.nets…… (Every source is  listed in the domains.txt file)

The mirror for compressed zip files is up and running – please contact us for details.

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format.

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

vxvault.siri-urz.net/url_list.php

Blackhole Exploit, LockEmAll, Zeus Domains

Posted on November 9th, 2011 in New Domains,rogue antivirus,Trojans,zeus by dglosser

Added 119 new Zeus, trojan, “LockEmAll”, BH Exploit domains. Sources include www.malwareurl.com, safebrowsing.clients.google.com, malwaredomainlist.com and others… (Every source is  listed in the domains.txt file)

Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.

These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.

Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned!

Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.

Domains.txt file is the complete list along with original reference.
Justdomains contains list of only the domain names.

BOOT file is in MS DNS format. spywaredomains.zones file is in BIND format. (The mirror for compressed zip files is up and running – please contact us for details.)

Also Available in AdBlock, ISA, and MaraDNS formats.

A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…