Abuse.ch: Cybercriminals Moving Over To TLD .su

Posted on January 29th, 2012 in General Security by dglosser

According to abuse.ch,  cybercriminals are moving from .ru to .su (.su is the Top Level Domain for the Soviet Union, which no longer exists)

Abuse.ch recommends examining your gateway logs, and  if you don’t see any legit .su domains being hit/used in your company,  just simply block .su.

HostExploit – Q4 2011 Top 50 Bad Hosts and Networks

Posted on January 24th, 2012 in General Security by dglosser

Top 50 Bad Hosts & Networks Q4 2011

HostExploit is pleased to present the Q4 2011 report on the Top 50 Bad Hosts and Networks, in collaboration with Russian security company Group-IB.

The final quarter of 2011 saw AS47583 Hosting Media move up to #1 Bad Host, having been well known in the Top 10 for some time. The Lithuanian-based host was found to be supporting some of the worst types of threats including several botnet-related activities such as Zeus as well as C&smp;C servers, exploit servers, phishing servers, malware and badware.

HostExploit analyzed all 39,796 publicly-advertised Autonomous Systems (including web hosts, commercial networks and registrars) with the results represented in a number of ways. Also included are features on the latest threats such as smartphone infections and the “Dirt Jumper” DDoS botnet.

We’ll be examining  domains living on AS47583 and other Bad Hosts and adding them to our blocklist,  but you should perform your own research and add them as appropriate.

EFFORT: Efficient and Effective Bot Malware Detection

Posted on January 20th, 2012 in General Security by dglosser

A research paper using our data:

EFFORT: Efficient and Effective Bot Malware Detection – http://faculty.cs.tamu.edu/guofei/paper/Shin_Infocom12_EFFORT.pdf

Again, we encourage research using our data, but please let us know so we can reference it here.

Evil Network: AS48691 (

Posted on January 3rd, 2012 in Domain News,General Security by dglosser


From Dynamoo‘s Blog:

“but there is still not a legitimate site in sight. Most of the bad sites are currently on but you should block access to ( - if you can, because this range of IP addresses is nothing but trouble.”

Malware forces Atlanta area hospitals to stop accepting patients

Posted on December 21st, 2011 in General Security by dglosser


Malware forces Atlanta area hospitals to stop accepting patients

Two medical centers lose computer systems for four days, source of infection unknown

Browser Wars

Posted on December 19th, 2011 in General Security by dglosser

Accuvant LABS just published a “Browser Security Comparison”  [1], but also see [2].

The data from this site was one of the URL Blocklists used in Accuvant’s study.
We encourage research using this and other blocklists,  but please let us know when the article is published.

[1] http://www.accuvant.com/sites/default/files/images/webbrowserresearch_v1_0.pdf


About.US RFI

Posted on November 30th, 2011 in General Security by dglosser

According to this report, the domain registrar “about.us” is completely compromised with RFI (Remote File Inclusion) scripts  exploiting the WordPress TimThumb vulnerability.

OT: “But it’s Encrypted”

Posted on November 18th, 2011 in General Security,Off Topic by dglosser

At my “real job”,  I’m constantly getting push back from users,  ops people (netadmins sysadmins, etc) and developers about security.  For example:

  • “This isn’t the pentagon”
  • “We can’t do our work”
  • “But it’s encrypted and the key is only by two different people”
  • “You say it’s an security issue but we haven’t been hacked so far so how much of a risk can it be”

At first glance, of these statements seem valid and reasonable (especially when it’s presented to upper management).

When management comes to you with these statements,  these needs to be simple, concise answers (maybe two, for both technical and non-technical users)

How many of you have received these arguments from users?
What other arguments have you received?
How have you responded?   (especially if you “won” the argument and convinced the user and manager)

We’ll collect the responses and summarize. Email us at 12malware8domains789@32gmail33.com33 (remove numbers)