Feed

Storm/CME711 Spam Domains

Posted on January 29th, 2008 in Domain News,Storm Worm by dglosser

DISOG has a list of over 400 pharmacy related sites, many of which are using 5 minute TTL’s with multiple A records (characteristic of fast-flux). A local copy is  here.

Important – Malicious Domains to Block

Posted on January 18th, 2008 in New Domains,rogue antivirus,Storm Worm by dglosser

Domains to block (DO NOT VISIT):

31joy.com 3332210.net
333292.com 33391.net
99391.net alwaysproxy.info
antispywareboss.com ibank-halifax.com
lt8818.com nadnadzzz.info
pasengewood.com we168.org

Help fight spyware: Join the Spyware Listening Post!

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

Russian Business Network

Posted on January 15th, 2008 in Domain News,rogue antivirus,Storm Worm by dglosser

Dancho Danchev has a great write-up on the Russian Business Network’s malicious practices, including the relationship between the New Media Malware Gang and the Storm Worm. A must read. Domains include:

aero4 (dot) cn    firewalllab (dot) cn        otrix (dot) ru tarog (dot) us

Domains will be added on the next update…

Also, the first rogue application for the Mac: scanner (dot) macsweeper (dot) com

New Iframe exploits

Posted on January 11th, 2008 in Domain News,New Domains,Storm Worm by dglosser

Dancho Danchev.’s blog lists several domains full of exploits, using “comprehensive multiple IFRAMES loading campaigns”:

8v8 (dot) biz uc147 (dot) com 070808 (dot) net qx13 (dot) cn
sbb22 (dot) com uuzzvv (dot) com 55189 (dot) net 749571 (dot) com
jqxx (dot) org mm5208 (dot) com 68yu (dot) cn 2365 (dot) us
loveyoushipin (dot) com yun878 (dot) com xks08 (dot) com

In better news, shadowserver reports that the 17 Storm Worm domains including i-halifax.com and i-barclays.com, appears to have all been placed in a status of “NOT DELEGATED” over at nic.ru, preventing A records from being returned when looking up the domains. (Some of the other holiday-related Storm Worm domains still have their NS record.)

Big Malware Domain Blocklist Update

Posted on January 9th, 2008 in New Domains,Phishing,Storm Worm,zlob by dglosser

Added the following domains:

172127112.com 365fastcash.com
51ym.com 8v8.biz
antispycheck.com bkoz.cn
cnxiguayb.cn cuyd.cn
esnt.cn feiyu666.com
i-barclays.com i-halifax.com
jidov.net. jxzol.cn
ljcctv.com malwarecrush.com
mumaqq.cn swf1.flashxyx.com
tel-8.cn tel-8.com.cn
tel-8.net tell8.com.cn
tfdyw.cn yyzmx.cn

For some reason, the zones files didn’t up load right and I don’t have access to them now. They will be loaded up soon.

Help fight spyware: Information on the Spyware Listening Post is located at: http://malwaredomains.com/?page_id=67

Updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

Storm Worm Phishing Domains

Posted on January 8th, 2008 in Phishing,Storm Worm by dglosser

SecurityZone reports that the Storm Worm crew have registered two new domains:

i-barclays.com
i-halifax.com

These domains are on the fast flux network and hosting phishing scams.

New Years Greetings

Posted on January 1st, 2008 in New Domains,Storm Worm,zlob by dglosser

Added more storm worm and zlob domains:

backdoor-guard.com bug-strike.com
errorsweeper.com familypostcards2008.com
freshcards2008.com happy2008toyou.com
happysantacards.com hellosanta2008.com
hohoho2008.com mymetavids.com
newscorpalerts.com parentscards.com
postcards-2008.com regclean.com
santapcards.com santawishes2008.com


updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

12/30 DNS Blackhole List Update

Posted on December 31st, 2007 in fake codecs,New Domains,Storm Worm by dglosser

Mostly Storm Worm Domains listed in previous posts:

10000xing.cn 222360.com adslooks.info bnably.com
eqcorn.com kqfloat.com ltbrew.com obebos.cn
ptowl.com qavoter.com siski.cn snbane.com
tushove.com wxtaste.com yxbegan.com tibeam.com
snlilac.com

More Storm Worm Domains

Posted on December 30th, 2007 in New Domains,Storm Worm by dglosser

US-CERT has released it’s own list of storm worm domains:

  • hxxp://newyearcards2008.com/
  • hxxp://merrychristmasdude.com
  • hxxp://ptowl.com <– New
  • hxxp://uhavepostcard.com
  • hxxp://yxbegan.com <– New
  • hxxp://happycards2008.com

  • Also, according to this source, the following domains were purchased the same time:

    tushove.com; tibeam.com; kqfloat.com; snbane.com; yxbegan.com; snlilac.com; qavoter.com; ptowl.com; wxtaste.com; eqcorn.com; ltbrew.com; bnably.com; fncarp.com
    Usually these domains would be considered “unverified”, but in light of the storm worm activity, they will be added to the main list in the next update.

    Storm Worm Domains

    Posted on December 29th, 2007 in New Domains,Storm Worm by dglosser

    domains are now:

    merrychristmasdude.com
    happycards2008.com
    uhavepostcard.com
    newyearwithlove.com
    newyearcards2008.com