Feed

142 malspam, iframe, joomla exploit, malicious domains

Posted on December 11th, 2012 in 0day,exploit,iframes,malspam,New Domains by dglosser

Added 142 domains associated with malspam, iframe/joomla exploit. Sources include safebrowsing.clients.google.com, blog.dynamoo.com, labs.sucuri.net (all sources are listed in our domains.txt file.)

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be bannedUse wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

Joomla (and WordPress) Bulk Exploit ongoing

Posted on December 10th, 2012 in 0day by dglosser

Sans reports that there is an ongoing bulk Joomla and WordPress exploit, complete with iframes pointing to Fake AV.

If anyone has seen a published list of the FQDN’s involved in this, please let us know so we can add those domains here.

Update: The issues with the zone files seem to have been resolved and some of the domains used in this exploit have been added to the blocklist

 

java exploit domains, rouge antivirus, malspam domains…

Posted on September 8th, 2012 in 0day,BH Exploit Kit,malspam,New Domains,rogue antivirus by dglosser

Added 101 new domains associated with Java exploits, malicious spam, sutratds, fake antivirus, etc. Sources include www.emergingthreats.net, www.google.com/safebrowsing, blog.dynamoo.com  (all sources are listed in our domain.txt file.)
* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…
We also have a mirror dedicated to research and Open Source Projects – please contact us for details.
NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

Two updates

Posted on September 3rd, 2012 in 0day,BH Exploit Kit,New Domains by dglosser

Been so busy updating the malware blocklists forgot to update the blog. Updates on August 29th and Sept 1st contained domains associated with the Java 0-day, Black Hole Exploits, and other malicious domains you don’t want visiting your desktops or network. Sources include safebrowsing.clients.google.com, www.scumware.org, blog.dynamoo.com and others (all sources are listed in our domain.txt file.)

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

 

Java 0-Day Domains, BH Exploit Kit Domains, other malicious domains

Posted on August 28th, 2012 in 0day,BH Exploit Kit,exploit,New Domains by dglosser

Added domains associated with the Java 0-day, Blackhole Exploit Kit, and other badness. Sources include labs.sucuri.net, blog.fireeye.com, www.spamhaus.org  (all sources are listed in our domain.txt file.)

NO ZONE FILES ARE LOCATED ON THIS SITE.  Users  and ip addresses which repeatedly attempt to download zone files directly from this site will be banned from all downloads.

* Please help to keep this site free and donate whatever you can:  All donations go to hosting and infrastructure costs.
* These malware block lists provided here are for free for noncommercial use as part of the fight against malware.   Any use of this list commercially is strictly prohibited without prior approval.
* Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use wget -N”!
* Yearly sponsorships are available. Full acknowledgment, an icon, and link back to your site will be placed in the left sidebar.
* Domains.txt file is the complete list along with original reference. Justdomains contains list of only the domain names. BOOT file is in MS DNS format. Malwaredomains.zones file is in BIND format.  Also Available in AdBlock, ISA, and MaraDNS formats. A trusted source on the WOT-the Web of Trust . Used by SURBL, MOREnet, SANs, and others…

We also have a mirror dedicated to research and Open Source Projects – please contact us for details.

Domains and IPs to Block ASAP

Posted on August 9th, 2012 in 0day,sql injection by dglosser

Two posts from the Internet Storm Center:
SQL Injection Lilupophilupop style –Lists about a dozen domains you should immediately add to your blocklists plus more in Dynamoos blog.

Zeus/Citadel variant causing issues in the Netherlands – Follow the links and block  those IP addresses

 

 

 

RunForestRun DGA Update

Posted on July 26th, 2012 in 0day,New Domains by dglosser

http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/

RunForestRun has changed the domain generating algorithm (DGA),  and now uses waw.pl subdomains (instead of .ru) in malicious URLs.

Update: the full list of predicted domains is here:  http://pastebin.com/8tfexYE3

Runforestrun update

Posted on June 26th, 2012 in 0day,exploit by dglosser

Old versions of Plesk store passwords in clear text
->   http://blog.unmaskparasites.com/2012/06/26/millions-of-website-passwords-stored-in-plain-text-in-plesk-panel/

There is  a remote  SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those
passwords.
-> http://kb.parallels.com/en/113321

 

Combine these two together and what do you get, malware of course.

Plesk Vulnerability Leading to Malware
http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html

Runforestrun and Pseudo Random Domains
http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

Run, Forest! (Update) – block 95.211.27.206

https://isc.sans.edu/diary/Run+Forest+Update+/13561

 

We’ve added a bunch of these domains but you should check the resources above, as well as new IP addresses to block.

 

(Thanks to Jack W. for keeping us up-to-date on these developments.)

 

 

Vulnerabilityqueerprocessbrittleness

Posted on June 19th, 2012 in 0day,rogue antivirus by dglosser

The Internet Storm Center lists a bunch of fake antivirus domai Several are already part of our list; we’ll be adding the rest in tonight’s update.   Would appreciate it if someone points us to a publicly available full list….

Flame/Flamer/Skywipe Domains & IPs

Posted on May 31st, 2012 in 0day by dglosser

Several sources have published detailed information (1, 2, 3, 4 5) sabout the Flame (also known as Flamer or Skywipe) “attack toolkit”.

Some sites (1, 2) have also  published the Domains and IP addresses of Flame’s C&C servers…

IP: 91.203.214.72  91.135.66.118

Domains: traffic-spot .com  traffic-spot.biz  smart-access .net  quick-net .info