Feed

Flame/Flamer/Skywipe Domains & IPs

Posted on May 31st, 2012 in 0day by dglosser

Several sources have published detailed information (1, 2, 3, 4 5) sabout the Flame (also known as Flamer or Skywipe) “attack toolkit”.

Some sites (1, 2) have also  published the Domains and IP addresses of Flame’s C&C servers…

IP: 91.203.214.72  91.135.66.118

Domains: traffic-spot .com  traffic-spot.biz  smart-access .net  quick-net .info

 

 

List Reorg: 1500+ domains removed

Posted on May 29th, 2012 in Removed Domains by dglosser

Approx approx 1600 domains were reevaluated and   1540 were removed from the list.
30 domains were added to our  “immortal”, long-lived malicious domains list.

List of  removed domains: http://mirror2.malwaredomains.com/files/removed-domains-20120528.txt

List of “immortal” domains: http://mirror2.malwaredomains.com/files/immortal_domains.txt

Site Delisting: diamande.ee

Posted on May 27th, 2012 in Removed Domains by dglosser

diamande.ee has been delisted and will be removed in the next update.

Looking for volunteers and donations

Posted on May 27th, 2012 in Domain News by dglosser

Looking for volunteers to help us maintain the blocklist.    Things like  writing  perl programs (cygwin compatable) to compare the blocklist to google’s safebrowsing database, etc .  No compensation except authorship credit as well as knowing that you work will help in the neverending fight against malware.

If you consider this blocklist useful, please consider donating money or sponsoring the list.

Java Exploits, malicious advertising, SutraTDS

Posted on May 26th, 2012 in exploit,malvertising,New Domains by dglosser

Added over 100 domains associated with malvertising, java exploits, htaccess redirects…  Sources include hosts-file.net, www.mwis.ru, sucuri.net (all sources are listed in our domain.txt file.)

Compressed files are located at: http://www.malware-domains.com (full zone files, note the dash)  and http://dns-bh.sagadc.org/.  We also have a mirror dedicated to research and Open Source Projects – contact us for details. NO ZONE FILES ARE LOCATED ON THIS SITE.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Measuring the Lifecycles of Malicious Domains

Posted on May 23rd, 2012 in Domain News by dglosser

Interesting article found here….  From the abstract:

…we present preliminary results from
on-going experiments we are conducting to track the lifetime of
malicious domains. Studying the lifecycles of malicious domain
names will provide insight into the many classes of criminal
networks that depend on DNS, and inspire the development of
new, more effective countermeasures.”

 

Some highlights:

  • the number of resurrected domains gravitates around 200 everyday revealing a number of domains that are intermittently inactive, which could potentially be an evasion mechanism or a correlating characteristic of instability
  • Contrary to our intuition …  many of the [malicious] domains are long-lived and more domains are being introduced than are dying.

We’ve noticed and tracked  many of the   “immortal” malware domains  but haven’t done any research into “resurrected”, or intermittently inactive/active domains. Hmmm

Again, we encourage research using our blocklists and have set up a mirror dedicated to open source projects and scholarly research.  All we  ask that you let us know about such research

htaccess redirects, malicious javascript, trojans

Posted on May 22nd, 2012 in iframes,New Domains,Trojans by dglosser

Added 137 domains associated with htaccess redirects, malvertising, iframes, trojans, etc. Sources:exposure.iseclab.org, threatexpert.com,  zeustracker, sucuri.net,  and others (all sources are listed in our domain.txt file.)

Compressed files are located at: http://www.malware-domains.com (full zone files, note the dash)  and http://dns-bh.sagadc.org/.  We also have a mirror dedicated to research and Open Source Projects – contact us for details. NO ZONE FILES ARE LOCATED ON THIS SITE.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

owlopadjet . info

Posted on May 19th, 2012 in 0day,iframes by dglosser

Probably should block this guy asap. We received an email stating that hxxp://owlopadjet . info/index.php?tp=e1909d7d62debace is infecting other websites.

See http://wepawet.iseclab.org/view.php?hash=c6f95bc490bb919ac9a9a16f8cfbcd2f&t=1337457427&type=js

 

BH Exploit Kit, malvertising, cridex domains

Posted on May 17th, 2012 in BH Exploit Kit,malvertising,New Domains,Trojans,zeus by dglosser

Added almost 150 domains associated with Black Hole Exploits, malvertising, cridex, etc. Sources:www.mwis.ru, zeustracker.abuse.ch, exposure.iseclab.org and several others (all sources are listed in our domain.txt file.)

Compressed files are located at: http://www.malware-domains.com (full zone files, note the dash)  and http://dns-bh.sagadc.org/.  We also have a mirror dedicated to research and Open Source Projects – contact us for details. NO ZONE FILES ARE LOCATED ON THIS SITE.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

sql injection, htaccess, maliciousjs domains

Posted on May 13th, 2012 in New Domains by dglosser

Added domains associated with htaccess redirection, sql injection, iframes, etc. Please update your blocklists/sinkhole and follow our Terms of Use.

Reminder: the main site does not contain any zone files. Only download files from one our our download mirrors.