Feed

RunForestRun DGA Domains

Posted on July 28th, 2012 in New Domains by dglosser

Added over 200t RunForestRun Domains listed at blog.unmaskparasites.com.

RunForestRun DGA Update

Posted on July 26th, 2012 in 0day,New Domains by dglosser

http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/

RunForestRun has changed the domain generating algorithm (DGA),  and now uses waw.pl subdomains (instead of .ru) in malicious URLs.

Update: the full list of predicted domains is here:  http://pastebin.com/8tfexYE3

Java Exploit domains, trojans, rogues

Posted on July 25th, 2012 in exploit,New Domains,rogue antivirus by dglosser

A small but important update containing domains associated with Java exploits, rogue antivirus. trojans,  and other malicious domains you don’t want visiting your computer or network. Sources include www.mwis.ru, www.malwaredomainlist.com, and urlquery.net (all sources are listed in our domain.txt file.)

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.  We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

IntelliDownload (stopmalvertising.com)

Posted on July 23rd, 2012 in New Domains by dglosser

Interesting article about IntelliDownload on stopmalvertising.com:

…it doesn’t disclose that it will hijack advertisements on several major websites and replace them with ads from oadsrv.com, scrape your Facebook data, spy on your browser session and report every move you make on the web back to chango.com…”

Please study the domains listed in the article and take appropriate action (the domains have not yet been added to this blocklist).

 

 

DNS-BH Updates: 7.19 and 7.21

Posted on July 22nd, 2012 in BH Exploit Kit,iframes,New Domains by dglosser

Been remiss about mentioning updates on 7.19 and 7.21..   Please update your blocklists/sinkhole and follow our Terms of Use.

Reminder: the main site does not contain any zone files. Only download files from one our our download mirrors.

Relisted Domains

Posted on July 16th, 2012 in New Domains,relisted by dglosser

Just went through a bunch of older domains and relisted almost 50 of them.

Or do the bad guys wait and “lay low” with their domain until “the coast is clear” and once google safebrowsing delists  them, they once again use the domain to serve up malware (Whack-a-Mole)?

Do they have google APIs and check daily to see if their domain is delisted?

Is there a name for this? It’s like fast-flux except the time frame is months instead of minutes.

RunForestRun, malspam, malvertising Domains

Posted on July 12th, 2012 in malspam,malvertising,New Domains,runforestrun by dglosser

Added 150 domains (runforestrun, malspam, malverting).

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…
 

NO ZONE FILES ARE LOCATED ON THIS SITE.

Users  and IP addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.  We also have  mirror dedicated to research and Open Source Projects – please contact us for details.

 

Huge Update – 246 malicious domains

Posted on July 10th, 2012 in BH Exploit Kit,malvertising,New Domains by dglosser

A very large update consisting of 246 domains associated with malvertising, iframes, black hole exploits, etc. Sources include malwaredomainlist.com, sucuri.net, dynamoo.com ((all sources are listed in our domain.txt file.)

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.  We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

Analyzing DNS Logs Using Splunk

Posted on July 7th, 2012 in Domain News,News by dglosser

Interesting article on Analyzing DNS Logs Using Splunk and being able to identify if  splunk sees a DNS lookup for a known bad domain name.

Again, if you use our data as this article does, do not pull the zone file more than once every 12 hours or you will be banned.  Better yet, check to see if the file has changed first (such as via a wget option) BEFORE pulling the zone file. And please DONATE if you consider the list useful.  A years worth of donations does not even equal one month’s hosting and infrastructure costs and we are not sure how much longer we can continue to pay these expenses out-of-pocket.

Article here: http://www.stratumsecurity.com/2012/07/03/splunk-security/

 

Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

1840 domains removed

Posted on July 7th, 2012 in New Domains,Removed Domains by dglosser

1840 domains have been delisted. please update your blocklists